CVE-2014-3829
published 2014-10-23CVE-2014-3829: displayServiceStatus.php in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allows remote attackers to execute arbitrary…
PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
81.00%
99.6th percentile
displayServiceStatus.php in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) session_id or (2) template_id parameter, related to the command_line variable.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| merethis | centreon | — | — |
| merethis | centreon_enterprise_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandtemplate_id=' UNION ALL SELECT 1,2,3,4,5,CHAR(59,<payload>59),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 -- /**↗
- →Detect GET requests to displayServiceStatus.php with SQL injection patterns in session_id or template_id parameters, particularly single-quote characters and OR/UNION SQL keywords. ↗
- →Alert on HTTP responses containing the string 'sh: graph: command not found' or 'sh: --imgformat: command not found', which indicate successful command injection via displayServiceStatus.php. ↗
- →Monitor for UNION-based SQL injection payloads in the template_id parameter of displayServiceStatus.php, specifically patterns matching UNION ALL SELECT with CHAR() encoding. ↗
- →The exploit requires no authentication — flag unauthenticated GET requests to displayServiceStatus.php that contain SQL metacharacters (single quotes, UNION, OR) in session_id or template_id. ↗
- →The exploit abuses the centreon.session table via SQLi to hijack a valid session; monitor for unexpected or anomalous rows/queries against centreon.session from web process accounts. ↗
- ·The exploit chains CVE-2014-3828 (SQL injection) with CVE-2014-3829 (command injection); both CVEs must be considered together for full exploit coverage. ↗
- ·The vulnerability is fixed in Centreon web 2.5.3; detections should focus on Centreon 2.5.1 and prior, and Centreon Enterprise Server 2.2 and prior. ↗
- ·The SQLi check phase may return 'Detected' (not 'Vulnerable') if the centreon.session table is empty, meaning exploitation will fail even on a vulnerable host until a legitimate user logs in. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection (Metasploit)
exploitdb·2014-10-15
CVE-2014-3829 Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection (Metasploit)
Centreon 'Centreon SQL and Command Injection',
'Description' => %q{
This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon
Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command
injection in the displayServiceStatus.php component, it is possible to execute arbitrary
commands as long as there is a valid session registered in the centreon.session table.
In order to have a valid session, all it takes is a successful login from anybody.
The exploit itself does not require any authentication.
This module has been tested successfully on Centreon Enterprise Server 2.2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'MaZ', # Vulnerability Discovery and Analysis
'juan vazquez' # Metasploit Module
],
'References' =>
[
['CVE', '2014-3828'],
['CVE
Metasploit
Centreon SQL and Command Injection
metasploit
Centreon SQL and Command Injection
Centreon SQL and Command Injection
This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command injection in the displayServiceStatus.php component, it is possible to execute arbitrary commands as long as there is a valid session registered in the centreon.session table. In order to have a valid session, all it takes is a successful login from anybody. The exploit itself does not require any authentication. This module has been tested successfully on Centreon Enterprise Server 2.2.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2014/Oct/78http://www.kb.cert.org/vuls/id/298796https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.5/centreon-2.5.3.htmlhttps://github.com/centreon/centreon/commit/cc2109804dd69057cb209037113796ec5ffdce90#diff-e328097503b14fbb117e0db798aefcdehttp://seclists.org/fulldisclosure/2014/Oct/78http://www.kb.cert.org/vuls/id/298796https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.5/centreon-2.5.3.htmlhttps://github.com/centreon/centreon/commit/cc2109804dd69057cb209037113796ec5ffdce90#diff-e328097503b14fbb117e0db798aefcde
2014-10-23
Published