lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 26 Jun 2018 10:20:39 -0500
From: "Josh Berry" <>
To: <>
Subject: PRTG < 18.2.39 Command Injection


I (Josh Berry) discovered an authenticated command injection vulnerability
in the “Demo” PowerShell notification script provided by versions of PRTG
Network Monitor prior to 18.2.39.  The PowerShell notifications demo script
on versions of the application prior to 18.2.39 do not properly sanitize
input in the “Parameter” field.  The web application provides a security
control around running executables/scripts as part of a notification, but
the demo PowerShell script contains a command injection vulnerability.  As a
proof of concept, the following value can be passed in the “Parameter”
field, resulting in the creation of a test account named “pentest”:

              Test.txt;net user pentest p3nT3st! /add

This bypasses the security control in place for the application.  I notified
Paessler AG, the developer of the application, and they have since patched
the issue and assigned a CVE of CVE-2018-9276.  Additional details are
provided below:

# Vulnerability Title: PRTG < 18.2.39 Command Injection Vulnerability
# Google Dork: N/A, but more details at: 
# Date: Initial report: 2/14/2018, disclosed on 6/25/2018
# Exploit Author: Josh Berry
# Vendor Homepage:  
# Software Link: 
# Vulnerable Version Tested:
# Patched Version: 18.2.39
# Tested on: Windows 7 and Windows Server 2012 R2
# CVE : CVE-2018-9276

Outside of patching, a workaround would be to just remove the PowerShell
demo script from the notifications directory found in the documentation: 

Note that exploiting this issue requires authenticated access.  The tool
installs with the default credentials of “prtgadmin / prtgadmin”
-the-prtg-web-interface-and-enterprise-console-how-to-change), and it is
common for organizations to leave defaults in place or take time in changing
them based on my penetration testing experience. 


Josh Berry, OSCP & GCIA Gold
Project Lead - CodeWatch

Cell 469.831.8543 | |

Powered by blists - more mailing lists