Vulnerability affecting some versions of centreon.

During my arduous journey to obtain OSCP certification, which happened in Nov/2020, I discovered a zero-day vulnerability in Centreon software, which made it possible to transfer files to the server through the application as if it were an image.

Below I will describe the steps tested in Centreon version 19.04.0:

Centreon’s login page.

In the administration console, specifically in the Administration/Parameters/Images section, it is possible to rename any file to the gif extension and perform the upload without any further validation. Then, the files are available in the /usr/share/centreon/www/img/media/ folder:

lse.sh file uploaded to the server as lse.gif.

In this case, I had access to the server with a non-root user and the server did not have wget installed or other file transfer tools. So, I uploaded scripts and exploits by renaming them with the .gif extension and then went back to the normal extension when they were already on the server. This process can facilitate escalation of privileges.

After identifying the problem, I contacted Centreon’s information security area and obtained the information that this vulnerability had been classified with a CVSS of 4.7, that is, a medium rating vulnerability:

Vulnerability classification by Centreon.

Also, I was informed that the vulnerability had been identified, but no CVE had been created:

No CVE created for this vulnerability.

Approximately 5 months later, I received a new email from Centreon stating that the vulnerability had been fixed, in addition to confirmation about the affected versions:

Vulnerability fixed.