Full Report
Intro Last year I wrote how to weaponize CVE-2018-19204. This blog post will continue and elaborate on the finding and analysis of two additional vulnerabilities that were discovered during the process; one leading to an arbitrary write as system where the contents can’t be fully controlled and the other leading to Remote Code Execution as SYSTEM. Both vulnerabilities require you to have the administrator password for PRTG Network Monitor. Often you just get lucky, as the software defaults to prtgadmin:prtgadmin for the username and password respectively.
Analysis Summary
# Vulnerability: Arbitrary Write and RCE in PRTG Network Monitor due to Argument Injection
## CVE Details
- CVE ID: **CVE-2019-11074** (Mentioned for context, identified as DoS impact, though the post discusses two more severe findings.)
- CVSS Score: N/A (Scores for the two new findings—arbitrary write and RCE—are not explicitly provided in the text.)
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - *Inferred based on argument injection leading to RCE*)
## Affected Systems
- Products: PRTG Network Monitor
- Versions: Versions prior to **19.3.51.2830** are affected by the vulnerabilities elaborated in the post.
- Configurations: Requires an authenticated attacker with **administrator password** credentials for PRTG Network Monitor. The default credentials (`prtgadmin:prtgadmin`) often grant this access if unchanged.
## Vulnerability Description
The analysis uncovered two primary vulnerabilities stemming from insecure handling and sanitization of user-supplied input when executing internal binaries, specifically related to sensor configurations:
1. **Arbitrary Write (Non-fully controlled contents) as NT AUTHORITY\SYSTEM:** An input injection flaw allows an attacker to inject extra positional arguments into a command executed by the `phantomjs.exe` binary when using a specific screenshot-related sensor. This results in an arbitrary write operation with SYSTEM privileges, although the contents written are not fully controllable by the attacker.
2. **Remote Code Execution (RCE) as NT AUTHORITY\SYSTEM:** A separate argument injection vulnerability was found in the **HTTP Transaction Sensor**. By manipulating parameters (specifically overcoming double-quote sanitization) through developer tools or proxies, an attacker can inject extra positional arguments into the command line executed by the sensor process, leading directly to RCE with SYSTEM privileges.
In both cases, the vulnerabilities exploit positional argument handling when parent processes execute child subprocesses using user-supplied configuration data derived from the web interface.
## Exploitation
- Status: **PoC available** (The author demonstrated successful proof-of-concept techniques for both findings but chose not to publish the full RCE PoC due to the large number of exposed instances.)
- Complexity: **Medium** (Requires successful authentication (admin password) and specific manipulation techniques involving argument parsing, double quotes, and potentially browser developer tools/proxies.)
- Attack Vector: **Adjacent** (Requires network access to the web interface and valid administrator credentials.)
## Impact
- Confidentiality: **High** (If RCE as SYSTEM is achieved.)
- Integrity: **High** (Arbitrary write capability; ability to execute arbitrary code as SYSTEM, allowing full system modification.)
- Availability: **High** (Ability to execute arbitrary code or cause denial of service/system compromise.)
## Remediation
### Patches
- **Update PRTG Network Monitor to version 19.3.51.2830 or later.**
### Workarounds
- **Do not rely on default credentials** (`prtgadmin:prtgadmin`) and ensure strong, unique administrative passwords are set.
- Harden input sanitization controls, especially by preventing special characters like backslashes (`\`) and double quotes (`"`) in configuration fields that result in sub-process execution, as these characters were leveraged to split or join arguments.
## Detection
- **Indicators of Compromise (IoCs):** Look for unexpected command-line arguments being passed to PRTG sensor binaries (`phantomjs.exe`, `HttpTransactionSensor.exe`, etc.) within system process monitoring logs.
- **Detection Methods and Tools:** Behavioral analysis of system processes spawned by PRTG services, specifically monitoring for unexpected process execution paths or command-line injection payloads that deviate from normal sensor operation. Monitor outbound network connections originating from PRTG processes that are uncharacteristic of standard network monitoring tasks.
## References
- Vendor Advisory: https://www.paessler.com/prtg/history/stable#19.3.51.2830
- Research Post (Defanged): hxxps://sensepost.com/blog/2020/being-stubborn-pays-off-pt.-2-tale-of-two-0days-on-prtg-network-monitor