Glances Central Browser Mode Credential Leak Vulnerability via Zeroconf Spoofing

A vulnerability in Glances, an open-source cross-platform system monitoring tool, allows for the exfiltration of reusable authentication credentials in Central Browser mode. Prior to version 4.5.2, Glances improperly trusted Zeroconf-advertised server names for dynamic servers, leading to a credential leak. When a dynamic server, advertised as 'protected', is accessed, Glances uses the untrusted name to look up saved passwords and generate connection URIs. This flaw enables an attacker on the same local network to spoof a Glances service, causing the victim's browser to send authentication secrets to an attacker-controlled host. The vulnerability affects both background polling and REST/WebUI interactions in Central Browser mode.

Impact

Exploitation of this vulnerability allows for the unauthorized retrieval of Glances authentication credentials from users running Central Browser mode with saved passwords. The captured credentials, in the form of a hashed password, can be reused to authenticate against other Glances servers that accept the same credentials.

Reproduction

To reproduce this vulnerability, first, save a password in the Glances configuration file under the [passwords] section. Then, start Glances in Central Browser mode with autodiscovery enabled. On an attacker-controlled machine within the same network, advertise a fake Glances service using Zeroconf, mimicking a real server. Once the victim's Glances application recognizes the fake service as 'protected', it will automatically send a hashed version of the saved password to the attacker-controlled host.

Remediation

Users should update to Glances version 4.5.2, which addresses this vulnerability by ensuring that the application uses the discovered IP address for dynamic servers instead of the advertised name. Additionally, the updated version prevents dynamic server entries from inheriting saved or default credentials, requiring manual authentication for each server.