CVE-2019-13024

EPSS 32.2%

Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).

Affected products

n/a · n/a

public PoCs found — 5

githubgithub.com/mhaskar/CVE-2019-13024★ 11 githubgithub.com/get-get-get-get/Centreon-RCE★ 1 cve_referencepacketstormsecurity.com/files/153504/Centreon-19.04-Remote-Code-Execution.htmlunverified exploitdbwww.exploit-db.com/exploits/47069unverified exploitdbwww.exploit-db.com/exploits/52156unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/153504/Centreon-19.04-Remote-Code-Execution.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.6.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04/centreon-19.04.3.html https://gist.github.com/mhaskar/c4255f6cf45b19b8a852c780f50576da https://github.com/centreon/centreon/pull/7694 https://shells.systems/centreon-v19-04-remote-code-execution-cve-2019-13024/