Full Report
Intro During an internal assessment, I came across monitoring software that had default credentials configured. This monitoring software allowed for the creation of sensors, but, none of which would allow for code execution or any other things that could compromise an underlying system. Turns out, it was a vulnerable version based on a publicly known CVE, but there was no public exploit code. Join me in this quest on building an exploit!
Analysis Summary
# Vulnerability: PRTG Network Monitor Arbitrary File Write leading to Remote Code Execution (CVE-2018-19204)
## CVE Details
- CVE ID: CVE-2018-19204
- CVSS Score: Not explicitly stated in the provided text, but the advisory mentions **arbitrary code execution and OS commands with system privileges** for authenticated users. (Severity based on impact is likely High/Critical)
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) combined with CWE-94 (Improper Control of Generation of Code ('Code Injection')) or similar file write vulnerability.
## Affected Systems
- Products: PRTG Network Monitor
- Versions: Vulnerable versions based on the known public CVE (Specific versions are not detailed in this summary, but it affects versions susceptible to this configuration flaw).
- Configurations: Requires remote authenticated attackers with **read-write privileges** to create a sensor. The HTTP Advanced Sensor configuration must be utilized.
## Vulnerability Description
The vulnerability resides in the improper handling of user input within the `proxyport_` parameter of certain sensor configurations (specifically identified with the 'HttpAdvancedSensor.exe' process). This flaw allows a **remote authenticated attacker** with write privileges to craft a malicious HTTP request that overrides the `-Proxy` argument passed to `HttpAdvancedSensor.exe`. This allows the attacker to redefine the `writeresult` command-line parameter, enabling them to write **arbitrary data to an arbitrary file-system location** with System privileges. The attacker can then write an executable file into the `\Custom Sensors\EXE` directory and trigger its execution via the creation of an EXE/Script Sensor, leading to **Remote Code Execution (RCE)** with System privileges.
## Exploitation
- Status: **PoC available** (A Python PoC script was drafted by the researcher).
- Complexity: **Medium** (Requires authentication/read-write privileges, discovery of the vulnerable sensor type, and tracing execution paths, although the final step leveraging UNC paths for file writing simplifies the impact).
- Attack Vector: **Network** (Requires network access to the monitored system where the authenticated service is running).
## Impact
- Confidentiality: **High** (System privileges allow access to all data).
- Integrity: **High** (Arbitrary code execution and file modification are possible).
- Availability: **High** (System compromise can lead to service disruption).
## Remediation
### Patches
- The article implies that patches exist for CVE-2018-19204, referring to it as a "publicly known CVE," but **specific patch versions are not listed** in the provided text. Users should consult the official vendor advisories for PRTG Network Monitor. [Action: Check vendor site for patch release.]
### Workarounds
- Restrict read-write sensor creation privileges to only trusted users.
- Monitor network traffic and application logs for suspicious inputs in sensor creation requests, particularly targeting parameters related to proxy settings on HTTP Advanced Sensors.
## Detection
- **Indicators of Compromise (IoCs):** Successful exploitation results in arbitrary file creation (e.g., an executable) within the PRTG installation directory, specifically the `\Custom Sensors\EXE` path, followed by logs indicating the execution of that new file via a sensor trigger.
- **Detection Methods and Tools:** Monitor process execution of `HttpAdvancedSensor.exe` for unexpected command-line arguments, especially those attempting to misuse the `-Proxy` parameter or override the `writeresult` path. Use network monitoring to inspect POST requests to sensor configuration endpoints for attempts to inject path traversal or special characters in proxy/port settings.
## References
- Vendor Advisory Source (Referenced in text): [hxxps://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2018-23/](hxxps://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2018-23/)
- Proof of Concept (as mentioned by researcher): [hxxps://gist.github.com/n30m1nd/1788ab84b94a03c62847d285ee0cfe81](hxxps://gist.github.com/n30m1nd/1788ab84b94a03c62847d285ee0cfe81)