module
PRTG Network Monitor Authenticated RCE
| Disclosed | Created |
|---|---|
| 2018-06-25 | 2021-01-28 |
Disclosed
2018-06-25
Created
2021-01-28
Description
Notifications can be created by an authenticated user and can execute scripts when triggered.
Due to a poorly validated input on the script name, it is possible to chain it with a user-supplied command allowing command execution under the context of privileged user.
The module uses provided credentials to log in to the web interface, then creates and triggers a malicious notification to perform RCE using a Powershell payload.
It may require a few tries to get a shell because notifications are queued up on the server.
This vulnerability affects versions prior to 18.2.39. See references for more details about the vulnerability allowing RCE.
Due to a poorly validated input on the script name, it is possible to chain it with a user-supplied command allowing command execution under the context of privileged user.
The module uses provided credentials to log in to the web interface, then creates and triggers a malicious notification to perform RCE using a Powershell payload.
It may require a few tries to get a shell because notifications are queued up on the server.
This vulnerability affects versions prior to 18.2.39. See references for more details about the vulnerability allowing RCE.
Authors
Josh Berry josh.berry@codewatch.org
Julien Bedel contact@julienbedel.com
Julien Bedel contact@julienbedel.com
Platform
Windows
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.