Software

Xymon http://xymon.sourceforge.net/

Versions affected: All 4.3 versions prior to 4.3.25 as well as 4.1.x and 4.2.x

Shell command injection in the “useradm” and “chpasswd” web applications

The useradm and chpasswd web applications may be used to administer passwords for user authentication in Xymon, acting as a web frontend to the Apache “htpasswd” application. The htpasswd command is invoked via a shell command, and it is therefore possible to inject arbitrary commands and have them executed with the privileges of the webserver (CGI) user.

This bug can only be triggered by web users with access to the Xymon webpages, who are already authenticated as Xymon users. However, when combined with CVE-2016-2055 which allows for off-line cracking of password hashes, this bug may be exploitable by others.

Technical Background

The following request will escape the intended command and append another command (in this case a ping).

The process list on the host shows that the malicious command is executed:

The USERNAME POST parameter is affected by this behavior as well.

Solution

The following patch has been created by the authors. They now more carefully handle the parameters used to construct the complete string.

Time Line

2016-01-06 – Reported vulnerability to authors

2016-02-08 – Vulnerability has been fixed in Xymon version 4.3.25.

Resources

https://sourceforge.net/p/xymon/news/2016/02/xymon-4325-released—security-update/