PRTG Command Injection

2018.06.28
Credit: Josh Berry
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Bugtraq, I (Josh Berry) discovered an authenticated command injection vulnerability in the Demo PowerShell notification script provided by versions of PRTG Network Monitor prior to 18.2.39. The PowerShell notifications demo script on versions of the application prior to 18.2.39 do not properly sanitize input in the Parameter field. The web application provides a security control around running executables/scripts as part of a notification, but the demo PowerShell script contains a command injection vulnerability. As a proof of concept, the following value can be passed in the Parameter field, resulting in the creation of a test account named pentest: Test.txt;net user pentest p3nT3st! /add This bypasses the security control in place for the application. I notified Paessler AG, the developer of the application, and they have since patched the issue and assigned a CVE of CVE-2018-9276. Additional details are provided below: # Vulnerability Title: PRTG < 18.2.39 Command Injection Vulnerability # Google Dork: N/A, but more details at: https://www.codewatch.org/blog/?p=453 # Date: Initial report: 2/14/2018, disclosed on 6/25/2018 # Exploit Author: Josh Berry # Vendor Homepage: https://www.paessler.com # Software Link: https://www.paessler.com/download/prtg-download?download=1 # Vulnerable Version Tested: 18.1.37.12158 # Patched Version: 18.2.39 # Tested on: Windows 7 and Windows Server 2012 R2 # CVE : CVE-2018-9276 Outside of patching, a workaround would be to just remove the PowerShell demo script from the notifications directory found in the documentation: https://www.paessler.com/manuals/prtg/notifications_settings#program. Note that exploiting this issue requires authenticated access. The tool installs with the default credentials of prtgadmin / prtgadmin (https://kb.paessler.com/en/topic/433-what-s-the-login-name-and-password-for -the-prtg-web-interface-and-enterprise-console-how-to-change), and it is common for organizations to leave defaults in place or take time in changing them based on my penetration testing experience. Thanks, Josh Berry, OSCP & GCIA Gold Project Lead - CodeWatch Cell 469.831.8543 | josh.berry@codewatch.org | www.codewatch.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top