About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Checkmk: Remote Code Execution by Chaining Multiple Bugs (2/3)- 1044

Stefan Schiller - Sonar SourcePosted 3 Years Ago
  • This post is part 2 of a chain of bugs that lead to getting code execution. In part 1, a SSRF and line feed injection bug in a query language were found. However, the LQL injection is blind.
  • In SQL, a strategy to get around this limitation is using conditionals and sleeping when a condition is met. In LQL, this can be done via the WaitObject, WaitCondition and WaitTimeout headers. Using this, it is possible to use the blind injection to retrieve arbitrary data. Although, this data is not very sensitive.
  • LQL contains a COMMAND option, which allows for Nagios External Commands. Even though this sounds promising, many of the sensitive commands were disabled for security reasons in Nagios already.
  • However, they found the command PROCESS_FILE. Issuing this command directs Nagios to read the file, execute each line of the file and exits. If the second parameter of the command is non-zero, it will delete the file being processed. This gives us an arbitrary file deletion primitive.
  • How does is this primitive useful for us? It's all context dependent. Am authentication cookie contains the SHA256 hash of a username, session id, serial number and the secret of the server. This secret is stored in the file auth.secret. When performing authentication if the secret is not known, it will reload the file with 256 random characters.
  • This is where things get WILD! There is another application that uses the auth.secret file: NagVis. This is done in a seamless fashion by verifying the session cookie but doesn't do any proper validation on whether the file is empty or not but the main process does.
  • So, here's the attack:
    1. Use the arbitrary file deletion to delete the secret storage file.
    2. Get the main process to create the file BUT not save the secret. This leaves the secret empty.
    3. Use the other PHP component to use the empty file in this small time window.
  • This attempt takes a few tries but eventually works. Since we can generate our own cookies now, we have created a complete auth bypass. Pretty neat!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed