Full Report
This is the final part of the series. In the first two posts, an SSRF, LQL query injection leads to an arbitrary file deletion. This leads to a complete authentication bypass by racing a file for auth. In part 3, we finish off the chain. The endpoint CoreModGeneral contains a arbitrary file read vulnerability. A URL can be passed in but does not validate the URI type. This means an attacker can pass in the file:// scheme and retrieve arbitrary files from the system. CheckMk has two types of users: normal and automation. The automation user is pre-configured with a random secret, which is stored in plaintext via the file automation.secret. By using the arbitrary file read from above, we can escalate privileges to read the credentials and login as this user. In terms out that the automation user is quite restricted so we want to be a normal user. How does it know the difference between an automation and a regular user? By checking for the existence of the automation.secret file! So, once we read the file, we can use a previous vulnerability to delete the file, making us appear as a regular user. Now we are a normal user! For the seamless authentication for Nagvis to take place, dynamic PHP code is generated. In particular, user information is put into a string in real PHP code. Single quotes within this data are escaped by prepending a backslash. However, if the data contains a backslash itself, we can escape the attempted escaped single quote. For instance, the input A\' would become A\\' instead of A\\\', allowing us to escape the context. The bug above gives us an authenticated code injection vulnerability. From a single SSRF to authentication to code execution is pretty amazing. This is probably the most amount of bugs I've ever seen chained together. More interestingly, some of these quirks weren't bugs - the functionality, such as the file deletion in this step, was just an implementation quirk. Awesome write up!
Analysis Summary
# Vulnerability: Chained Exploitation Leading to Remote Code Execution in Checkmk via Arbitrary File Read and Code Injection
## CVE Details
- CVE ID: CVE-2022-46945 (Arbitrary File Read in NagVis), CVE-2022-46946 (Authentication Bypass), CVE-2022-46947 (Code Injection)
- CVSS Score: **Not available in provided text** (Implied High/Critical given RCE result)
- CWE: Multiple (CWE-918: Server-Side Request Forgery/Path Traversal for File Read, CWE-94: Improper Control of Generation of Code ('Code Injection'))
## Affected Systems
- Products: Checkmk (and its NagVis integration)
- Versions: Vulnerable versions prior to patches addressing this chain of vulnerabilities.
- Configurations: Requires an authenticated session within the NagVis component (achieved through the preceding vulnerability chain).
## Vulnerability Description
This summary focuses on the final two steps (3 and 4 in the overall chain) described in the article, which depend on prior unauthenticated access to the NagVis component.
**Step 3: Arbitrary File Read in NagVis (CVE-2022-46945)**
An arbitrary file read vulnerability exists in the NagVis endpoint triggered via the `CoreModGeneral` class when using the `getHoverUrl` action. This endpoint accepts a `url` parameter which is passed directly to `file_get_contents()` without sufficient validation against URI schemes. An authenticated attacker can use the `file:///` scheme to read arbitrary files accessible by the webserver user.
**Escalation/Privilege Adjustment:**
1. The attacker reads the plaintext credentials of the pre-configured **automation user** stored in `automation.secret` using the file read vulnerability (CVE-2022-46945).
2. The attacker then uses a previously exploited arbitrary file deletion vulnerability (from earlier in the chain) to **delete** the `automation.secret` file.
3. Checkmk distinguishes between 'automation' and 'normal' users by checking for the existence of `automation.secret`. By deleting the file, the attacker subsequently appears as a less-restricted **normal user**.
**Step 4: Authenticated Code Injection in Checkmk (CVE-2022-46947)**
This bug occurs during dynamic PHP code generation for Nagvis user information. Single quotes are intended to be escaped by prepending a backslash (e.g., `'` becomes `\'`). However, if the input data itself contains a backslash, the escaping mechanism fails. For example, input `A\'` is incorrectly rendered as `A\\'` instead of the properly escaped `A\\\'`. This logic flaw allows an authenticated attacker (now operating as a normal user) to break out of the intended string context and achieve authenticated **Code Injection**, leading to Remote Code Execution (RCE).
## Exploitation
- Status: **PoC available** (The article describes the full chain used for demonstration).
- Complexity: **Medium** (Requires chaining multiple complex vulnerabilities, but the final RCE step is highly effective once authentication is achieved).
- Attack Vector: **Network** (The chain starts unauthenticated over the network, progressing to authenticated execution).
## Impact
- Confidentiality: **High** (Access to arbitrary system files, including secrets).
- Integrity: **Critical** (Achieved Remote Code Execution allows complete system compromise).
- Availability: **Critical** (RCE can lead to system shutdown or data destruction).
## Remediation
### Patches
The article notes that the Checkmk team provided comprehensive patches for all reported issues quickly. **Specific patch versions are not listed in the provided text; refer to official Checkmk advisories.**
### Workarounds
1. **Network Segmentation/Access Control:** Restrict network access to the Checkmk/NagVis endpoints where possible.
2. **Principle of Least Privilege:** Ensure the Checkmk web application runs with the lowest possible privileges to limit disclosure from the file read vulnerability.
3. **Input Validation Review:** Immediately review and correct custom input escaping logic, especially when injecting data into dynamically generated code in different contexts (like PHP code generation).
## Detection
- **Indicators of Compromise (IoCs):**
* Unusual file access attempts using the `file://` URI scheme against sensitive system paths via NagVis endpoints (`CoreModGeneral.php`).
* Sudden modification or deletion of the `automation.secret` file.
* Execution of unexpected PHP code generated/injected through user-context features utilized by NagVis.
- **Detection Methods and Tools:**
* Web Application Firewalls (WAFs) configured to inspect URLs for the `file://` scheme in parameters associated with content loading functions.
* File Integrity Monitoring (FIM) on critical files like `automation.secret`.
* Monitoring for unexpected PHP execution or function calls originating from the web application process.
## References
- Sonar Source Blog Post: hxxps://blog.sonarsource.com/checkmk-rce-chain-3/
- Earlier parts of the series referenced for context: hxxps://blog.sonarsource.com/checkmk-rce-chain-1/ and hxxps://blog.sonarsource.com/checkmk-rce-chain-2/