Thursday, June 8, 2023

CVE-2023-34096: Path Traversal Vulnerability in Thruk Monitoring Web Interface

3:51 PM No comments

Important Note: All of the findings listed here were previously reported to the manufacturer of the software.

As part of the responsible disclosure policy, we waited for a response of the manufacturer (confirming the vulnerability, issuing a patch, or accepting that they won't solve the finding) before sharing this post.


Introduction

During a Penetration Test performed to a Security Company I was able to identify certain findings that could affect the popular Thruk Monitoring Web Interface. So, after analyzing the GitHub repository and performing some tests on the target environment, I was able to identify and exploit the vulnerabilities, then I reported these issues to the manufacturer.


Summary

The file panorama.pm is vulnerable to a Path Traversal Vulnerability which allows a remote authenticated attacker to upload arbitrary files to any folder which has write permissions on the affected system. This vulnerability affects all versions of Thruk even the one that was recently published (<=3.06) in May 24, 2023.


Details

The parameter "location" is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (.) and the slash (/).

This was verified by analyzing in detail the GitHub repository and the source files.

In this step, the location is received from the parameters sent by the client through the web request and there is no sanitization at all.

Then, the variable folder is constructed doing a basic concatenation without any sanitization.

Next, the folder variable is concatenated with the filename and its result is stored in the newlocation variable, again no sanitization at all.

Finally, here the uploaded file is moved to the desired folder.


Through this flow, it is easy to see that due to the lack of sanitization we can manipulate the location parameter and exploit a Path Traversal vulnerability to upload a file to any folder we want.


Proof of Concept (PoC)

  1. Go to the form where we can upload an image that will be used as background for a Dashboard.
  2. Select any file with the allowed extensions and intercept the request with Burp Suite.
  3. Modify the location parameter which is the backgrounds/ string and replace it with something like backgrounds/../../../../tmp/
  4. You will receive a message that the file was uploaded successfully.
  5. Check your /tmp/ folder and verify the presence of the file.
As part of the PoC, I decided to include the following screenshots.

Normal Case

In this first screenshot I included the normal request where a file will be uploaded to a folder where the current user does not have any write permissions, and I received an error message.


Path Traversal Exploitation

In this second screenshot I included the manipulated request where the path traversal vulnerability is being exploited to upload the file to /tmp/ folder, as you can see I received a success message.


CVSS

The NIST NVD assigned a CVSS 3.1 Score of 8.8 (High) to this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The CNA GitHub, Inc. assigned a CVSS 3.1 Score of 6.5 (Medium) to this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Check NIST NVD for further details.

Impact

A Path Traversal vulnerability allows an attacker to upload arbitrary files to the server. The attacker can overwrite existing files on the system and cause a defacement (replacing legitimate images on the web server) or simply can upload random files to fill the disk completely and affect the availability and correct status of the platform.

It is well known that a Path Traversal Vulnerability in certain cases can allow an attacker to upload a webshell and gain Remote Code Execution (RCE) on the affected host, which could lead to a Complete System Takeover.

This vulnerability affects all versions of Thruk even the one that was published 15 days ago (3.06) in May 24, 2023; so the impact is bigger as this issue affects all instances of Thruk around the world.

This was reported through a Security Advisory via GitHub. You can find the security advisory report and other useful references in the following links:

  1. https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h
  2. https://github.com/galoget/Thruk-CVE-2023-34096
  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096
  4. https://www.exploit-db.com/exploits/51509
  5. https://packetstormsecurity.com/files/172822/Thruk-Monitoring-Web-Interface-3.06-Path-Traversal.html
  6. https://nvd.nist.gov/vuln/detail/CVE-2023-34096
  7. https://cve.report/CVE-2023-34096
  8. https://vulmon.com/vulnerabilitydetails?qid=CVE-2023-34096&scoretype=cvssv3
  9. https://vuldb.com/?id.231110
  10. https://twitter.com/CVEnew/status/1666897976894054415
  11. https://www.thruk.org/changelog.html#_v3-062

Vulnerability Summary

  • Assigned CVE: CVE-2023-34096
  • CVE Author: Galoget Latorre (@galoget)
  • Severity (NIST): 8.8 High
  • Severity (GitHub): 6.5 Medium
  • Type: Path Traversal
  • Product: Thruk Monitoring Web Interface
  • Affected Versions: All versions <= 3.06
  • Patched Version: 3.06-2

Timeline

  • 2023-05-25: This vulnerability was identified by Galoget Latorre.
  • 2023-06-02: Initial contact with maintainer via GitHub Security Advisory including vulnerability details and Proof of Concept (PoC).
  • 2023-06-05: CVE-2023-34096 is assigned. 
  • 2023-06-06: Maintainer releases a patch with version 3.06-2, see Thruk's Changelog.
  • 2023-06-08: GitHub Security Advisory is released by maintainer.
  • 2023-06-08: Security advisory (this blog post) is released by Galoget Latorre.
  • 2023-06-08: Exploit PoC is released by Galoget Latorre.
  • 2023-06-09: Exploit PoC is shared by Exploit Database (Exploit-DB).
  • 2023-06-09: Exploit PoC is shared by Packet Storm Security.

Credits

This security vulnerability was identified by Galoget Latorre, Security Consultant (Pentester) at Hackem Cybersecurity Research Group and Dreamlab Technologies.

Read More

Monday, January 8, 2018

Cracking Passwords: Brute-force Attack with Hydra (CLI) + xHydra (GTK)

7:32 AM 1 comment


Recently on Security StackExchange, I saw a lot of people asking how to use properly THC Hydra for Password Cracking, so in this post I'm going to explain how to install the command line utility, and also how to install the graphical user interface (GUI) for it. Then you can find step by step instructions on how to use this tool properly to attack an http-form-post that simulates a Login form for a corporate website. Hope you enjoy this post as much as I did when I was writing it.

Read More

Monday, December 4, 2017

Blitz CTF 001 Writeup (Step by Step Solutions) [CTF365]

3:04 AM No comments

A few days ago, we received an invitation to the BlitzCTF001, a very short and fast cybersecurity CTF. The challenges contained in this CTF covers: Crypto (Encoding), SQLi, Broken Access Control, Session Manipulation and Steganography.

In our opinion, the challenges are interesting and entertaining, especially to learn about web application security, so we decided to share the solutions (just in case that you got stuck in some level), hope you like and enjoy them as we did.

Read More

Friday, January 3, 2014

Password Management in GNU/Linux by using passwd command

10:38 PM No comments

A password (commonly knows as passwd in linux) is an unspaced sequence of characters used to determine that a computer user requesting access to a computer system is really that particular user. Typically, users of a multiuser or securely protected single-user system claim a unique name (called a user ID) that can be generally known. In order to verify that someone entering that user ID really is that person, a second identification, the password, known only to that person and to the system itself, is entered by the user. Most networks require that end users change their passwords on a periodic basis.
passwd command

The passwd command is used to create and change the password of a user account. A normal user can run passwd to change their own password, and a system administrator (the superuser ROOT) can use passwd to change another user’s password, or define how that account’s password can be used or changed.

PASSWD SYNTAX
passwd [OPTION] [USER]
Usage: passwd [OPTION...] <accountName>
-k, --keep-tokens keep non-expired authentication tokens
-d, --delete delete the password for the named account (root only)
-l, --lock lock the named account (root only)
-u, --unlock unlock the named account (root only)
-f, --force force operation
-x, --maximum=DAYS maximum password lifetime (root only)
-n, --minimum=DAYS minimum password lifetime (root only)
-w, --warning=DAYS number of days warning users receives before password expiration
 (root only)
-i, --inactive=DAYS number of days after password expiration when an account becomes 
disabled (root only)
-S, --status report password status on the named account (root only)
--stdin read new tokens from stdin (root only)
Change the password for Normal user
When you logged in as non-root user like user1 in my case and run passwd command then it will reset password of logged in user.
[user1@localhost ~]$ passwd
Changing password for user user1.
Changing password for user1.
(current) UNIX password:
New password:
Retype new password:
passwd: 
all authentication tokens updated successfully.
When you logged in as root user and run passwd command then it will reset the root password by default and if you specify the user-name after passwd command then it will change the password of that particular user.

 Display Password Status Information
To display password status information of a user , use -S option in passwd command.
[root@localhost ~]# passwd -S user1
user1 PS 2016-04-21 0 99999 7 -1 (Password set, SHA512 crypt.)
In the above output first field shows the user name and second field shows Password status ( PS = Password Set , LK = Password locked , NP = No Password ), third field shows when the password was changed and last & fourth field shows minimum age, maximum age, warning period, and inactivity period for the password.

 We can display password status information for all users at a time by using the option –Sa
root@localhost:~# passwd -Sa
Removing Password of a User
We can remove the password for particular user by using option -d
[root@localhost ~]# passwd -d user1
Removing password for user user1.
passwd: Success
[root@localhost ~]#
Lock the password of System User
Use ‘-l‘ option in passwd command to lock a user’s password, it will add “!” at starting of user’s password. A User can’t Change it’s password when his/her password is locked.
[root@localhost ~]# passwd -l user1
Locking password for user user1.
passwd: Success
Unlock User’s Password using -u option
use -u option to unlock the user accounts locked by passwd -l option
[root@localhost ~]# passwd -u user1
Unlocking password for user user1.
passwd: Success
Setting inactive days using -i option
use -i option along with  passwd command to set inactive days for a system user. This will come into the picture when password of user  expired and user didn’t change its password in ‘n‘ number of days ( i.e 7 days in my case)  then after that user will not able to login.
[root@localhost ~]# passwd -i 7 user1
Adjusting aging data for user user1.
passwd: Success
[root@localhost ~]# passwd -S user1
user1 PS 2016-04-21 0 99999 7 7 (Password set, SHA512 crypt.)
[root@localhost ~]#
Setting Minimum No.of Days to Change Password using passwd -n option
Using the option -n along with passwd command we can set the minimum number of days to change the password. A value of zero shows that user can change it’s password in any time.
[root@localhost ~]# passwd -n 90 user1
Adjusting aging data for user user1.
passwd: Success
[root@localhost ~]# passwd -S user1
user1 PS 2016-04-21 90 99999 7 7 (Password set, SHA512 crypt.)
[root@localhost ~]#

Setting the Warning days before password expire using passwd -w option

Using the option -w along with passwd can be used to set the warning days before the password expires.
[root@localhost ~]# passwd -w 30 user1
Adjusting aging data for user user1.
passwd: Success
[root@localhost ~]# chage -l user1
Last password change                                    : Apr 21, 2016
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 90
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 30
[root@localhost ~]#
Source: Unixmen
Read More

Sunday, November 3, 2013

[Malware Classifier] Malware Analysis Tool - Adobe

7:24 PM No comments
In this post I am going to talk about a new tool: "Adobe Malware Classifier", this is a command-line tool that lets antivirus analysts, IT administrators, and security researchers quickly and easily determine if a binary file contains malware, so they can develop malware detection signatures faster, reducing the time in which users' systems are vulnerable.
Read More

Thursday, October 3, 2013

(D)DoS Deflate - A script designed to Block a Denial of Service Attack

2:16 AM No comments
Nowadays a common problem for many companies is Distributed Denial of Service Attack (DDoS), so in this post is explained: what is a DDoS and a possible solution for it?

Distributed Denial of Service (DDoS):
In computing, this attack is an attempt to make a machine (usually a web server) or a network resource unavaliable to its intended users, the reasons for this attack may vary, but it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet, a visual explanation is shown in Figure 1.
Read More

Tuesday, September 3, 2013

ESET Security Challenge - Solution

7:40 PM No comments
Figure 1: New Search Engine in Development
Scenario:
A malicious code had access to a small enterprise of web developers, who are working on building a new search engine that will be participating on the market. Figure 1 shows a screenshot of the new project.

To verify the functionalities of this new search engine, we are going to make some tests. First, we will enter the word "trololo" to see the results. The server response to the request mentioned above is:
Figure 2: Search results for trololo of the new project

As you can see, this modest search engine is not ready to compete in the market, since the database is still very small, and only responds to keywords like "facebook" or "trololo":

Figure 3: Search results for facebook of the new project

Because the database is so poor, the developer has decided to redirect searches to other popular search engine in case that you don't get results. For example, let's try it with the word "nirvana" which is not found in the database corresponding to the new project:

Figure 4: Nirvana Search in the new project

The search is redirected to another search engine and the result can be seen below:

Figure 5: Nirvana Search Results on Bing

As you can see, the previous action aims to continue loading the database based on the response of the other search engines. Broadly speaking, we can understand how the server works.

The problem seems to be that this company has an internal attacker, who was devoted to analyzing vulnerabilities in the search engine, even knowing that it was an alpha version. Additionally, remember that there is a malware that is actively reporting all traffic from the internal network to the outside thereby filtering sensitive information.

A capture of the final traffic sent by the malware can be downloaded here.
Finally, after four days, the server was found in the following state:

Figure 6: Defacement of the search engine

Your job will be to see if it is an external attack executed by the malware author who infiltrated the systems, or whether it is an internal attack. To accomplish this objective You will have to verify the capture available to see if you can get the password of the administrator of that site. If it is possible, what is the password?

Note: In case you find irrefutable proof of his innocence, leave a comment and then develop a small tutorial, demonstrating the accuracy of the analysis. Apparently, only the root user had permissions to modify the files in the web.

Solution:
First, we need a tool to open the file, you can download Wireshark for this purpose, after that, we need to find something unusual in the traffic, as shown in Figure 7, there is an access to a FTP server where a file named data-intrusion.rar was downloaded:

Figure 7: FTP Server Access on Wireshark

In order to get a better view of this traffic we can use the option "Follow TCP Stream", let's see the results:
Figure 8: "Follow TCP Stream" of FTP Server

With this information we can see the credentials that were used to access to the server and the file that was downloaded, then we are going to reassemble the file and see what it contains:

Figure 9: This Image shows the transfer of "data-intrusion.rar"

And the next Figure shows the "Follow TCP Stream" of the RAR File in Raw:

Figure 10: "Follow TCP Stream" of "data-intrusion.rar" in Raw

This stream can be reassembled by pressing "Save as", then name it as you want, but don't forget the ".rar" extension:
Figure 11: "data-intrusion.rar" contains access.log

In the file "access.log" we can see all the requests made to the server and an interesting thing is that the server was attacked by an automated tool to inject SQL sentences.

Figure 12: SQLi requests by an automated tool (sqlmap)

In this case, the log file shows the requests but these are encoded, to learn more about this, please follow this link: HTML URL Encoding Reference
So we need to decode them, in order to make them easier to understand, you can use any tool for that purpose (I used a web app):

Figure 13: SQLi requests decoded (Easier to understand).

Example of one of the requests found in the log file:
"GET /search.php?q=facebook' AND ORD(MID((SELECT IFNULL(CAST(user AS CHAR),0x20) FROM challenge.users ORDER BY id LIMIT 1,1),5,1)) > 116 AND 'zJfx'='zJfx HTTP/1.1" 302 622 "-" "sqlmap/1.0-dev (1bae9955b7) (http://www.sqlmap.org)"

We can see that the tool (sqlmap) made some requests with the objective of getting a dump of the database, the tool is using the keyword "facebook" that would return a 200 code, with this the attacker can dump sensible information, to verify this, we can create a script that shows the results of the requests:

Figure 14: Script to extract useful information from access.log

In Figure 14, we can see the users & passwords that were extracted by the attacker, the last 2 lines are md5 hashes that can easily be cracked.

Decrypted Info:
user: root
password: pepe

user: guest
password: hacker

With these credentials the external attacker can easily make a defacement, so with this we verify that there is no internal attacker, or in this case, the internal attacker was not responsible for the defacement.
Read More

Saturday, August 3, 2013

Cracking a Simple Application (ByPass Login)

7:36 AM No comments
In this post I am going to explain how to solve a "Crackme" challenge that I found on the Internet, in this example you can see a Login form but we don't know the Username or the Password, so what do you think could be a possible solution?, or the first step to solve it?
Read More
Subscribe to: Posts (Atom)