Centreon 2.6.1 Command Injection Vulnerability

Title: Centreon 2.6.1 Command Injection Vulnerability
Advisory ID: ZSL-2015-5265
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.09.2015
Summary
Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management.
Description
The POST parameter 'persistant' which serves for making a new service run in the background is not properly sanitised before being used to execute commands. This can be exploited to inject and execute arbitrary shell commands as well as using cross-site request forgery attacks.
Vendor
Centreon - https://www.centreon.com
Affected Version
2.6.1 (CES 3.2)
Tested On
CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3
Vendor Status
[10.08.2015] Vulnerability discovered.
[12.08.2015] Vendor contacted.
[13.08.2015] Vendor replies asking more details.
[13.08.2015] Sent details to the vendor.
[14.08.2015] Vendor sends details to developing team.
[19.08.2015] Asked vendor for status update.
[19.08.2015] Vendor states that some issues were fixed in 2.6.2 and rest will be fixed in 2.6.3 or 2.7.
[25.08.2015] Asked vendor for status update.
[25.08.2015] Vendor will get back to us by 15th of September because of holidays.
[16.09.2015] No reply from the vendor.
[17.09.2015] Informed vendor about public release.
[17.09.2015] Vendor has released version 2.6.2 fixing the file upload issue. Remaining issues promised to be fixed in next release.
[24.09.2015] Vendor releases version 2.6.3 to fix remaining issues?
[26.09.2015] Public security advisory released.
PoC
centreon_cmdinj.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.2.html
[2] https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.3.html
[3] https://www.exploit-db.com/exploits/38339/
[4] https://packetstormsecurity.com/files/133754
[5] https://cxsecurity.com/issue/WLB-2015090167
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/106901
[7] https://secunia.com/advisories/66651/
Changelog
[26.09.2015] - Initial release
[07.10.2015] - Added reference [3], [4], [5] and [6]
[10.11.2015] - Added reference [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk