CVE-2014-3828
published 2014-10-23CVE-2014-3828: Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allow remote attackers to execute…
PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.71%
99.4th percentile
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id parameter to views/graphs/graphStatus/displayServiceStatus.php, (4) the mnftr_id parameter to configuration/configObject/traps/GetXMLTrapsForVendor.php, or (5) the index parameter to common/javascript/commandGetArgs/cmdGetExample.php in include/.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| merethis | centreon | — | — |
| merethis | centreon_enterprise_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command' UNION ALL SELECT 1,2,3,4,5,CHAR(59,<payload>,59),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 -- /**↗
- →Monitor GET requests to displayServiceStatus.php with a session_id parameter containing SQL injection patterns (e.g., single quotes, OR conditions, UNION SELECT statements). ↗
- →Alert on HTTP responses from displayServiceStatus.php containing the string 'sh: graph: command not found' or 'sh: --imgformat: command not found', which indicate successful SQLi and command injection. ↗
- →Alert on HTTP responses from displayServiceStatus.php containing the string 'sh: --imgformat: command not found', indicating successful command injection via UNION-based SQLi. ↗
- →Detect UNION ALL SELECT payloads with CHAR() encoding in the template_id parameter of displayServiceStatus.php, used to inject OS commands via MySQL. ↗
- →The exploit requires no authentication; detect unauthenticated GET requests to /centreon/include/views/graphs/graphStatus/displayServiceStatus.php with suspicious session_id or template_id values. ↗
- ·Exploitation only succeeds if at least one valid session exists in the centreon.session table; a completely idle system with no logged-in users may not be exploitable at the time of the attempt. ↗
- ·The default target URI for the Centreon application is /centreon; installations using a non-default path will require adjustment of detection rules. ↗
- ·The payload space is constrained to 1500 bytes, accounting for an 8192-byte maximum URI length; very large payloads may fail. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Centreon - SQL Injection / Command Injection (Metasploit)
exploitdb·2014-10-27
CVE-2014-3828 Centreon - SQL Injection / Command Injection (Metasploit)
Centreon - SQL Injection / Command Injection (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Centreon SQL and Command Injection',
'Description' => %q{
This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon
Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command
injection in the displayServiceStatus.php component, it is possible to execute arbitrary
commands as long as there is a valid session registered in the centreon.session table.
In order to have a valid session, all it takes is a successful login from anybody.
The exploit itself does not require any authentication.
This module has b
Exploit-DB
Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection (Metasploit)
exploitdb·2014-10-15
CVE-2014-3829 Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection (Metasploit)
Centreon 'Centreon SQL and Command Injection',
'Description' => %q{
This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon
Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command
injection in the displayServiceStatus.php component, it is possible to execute arbitrary
commands as long as there is a valid session registered in the centreon.session table.
In order to have a valid session, all it takes is a successful login from anybody.
The exploit itself does not require any authentication.
This module has been tested successfully on Centreon Enterprise Server 2.2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'MaZ', # Vulnerability Discovery and Analysis
'juan vazquez' # Metasploit Module
],
'References' =>
[
['CVE', '2014-3828'],
['CVE
Metasploit
Centreon SQL and Command Injection
metasploit
Centreon SQL and Command Injection
Centreon SQL and Command Injection
This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command injection in the displayServiceStatus.php component, it is possible to execute arbitrary commands as long as there is a valid session registered in the centreon.session table. In order to have a valid session, all it takes is a successful login from anybody. The exploit itself does not require any authentication. This module has been tested successfully on Centreon Enterprise Server 2.2.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2014/Oct/78http://www.kb.cert.org/vuls/id/298796http://www.securityfocus.com/bid/70648https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.5/centreon-2.5.3.htmlhttps://github.com/centreon/centreon/commit/cc2109804dd69057cb209037113796ec5ffdce90#diff-e328097503b14fbb117e0db798aefcdehttp://seclists.org/fulldisclosure/2014/Oct/78http://www.kb.cert.org/vuls/id/298796http://www.securityfocus.com/bid/70648https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.5/centreon-2.5.3.htmlhttps://github.com/centreon/centreon/commit/cc2109804dd69057cb209037113796ec5ffdce90#diff-e328097503b14fbb117e0db798aefcde
2014-10-23
Published