Improve NagiosXI authenticated exploit modules to increase resilience and for use with Autocheck disabled

[k0pak4]

Summary

During the course of #17494 there were several concerns with how the NagiosXI login mixin was being used in the check method, which prevents the module from working when Autocheck is disabled. Additionally, other improvements were made including cleaner regexes in version detection, nil checks on objects that were assumed to be not nil, and other improvements. After examining the other NagiosXI modules the following modules should be modified to also take advantage of these improvements:

• modules\exploits\linux\http\nagios_xi_autodiscovery_webshell.rb
• modules\exploits\linux\http\nagios_xi_mibs_authenticated_rce.rb
• modules\exploits\linux\http\nagios_xi_plugins_check_plugin_authenticated_rce.rb
• modules\exploits\linux\http\nagios_xi_plugins_filename_authenticated_rce.rb

Improvements

• Move the authentication to its own function, and call it in check and exploit when necessary (Add NagiosXI authenticated RCE (CVE-2021-25296, CVE-2021-25297,CVE-2021-25298) exploit module #17494 (comment))
• Use better regexes for version detection (Add NagiosXI authenticated RCE (CVE-2021-25296, CVE-2021-25297,CVE-2021-25298) exploit module #17494 (comment))
• Refactor case statements to use accurate error codes, error messages, and Failure codes (Add NagiosXI authenticated RCE (CVE-2021-25296, CVE-2021-25297,CVE-2021-25298) exploit module #17494 (comment))
• Improve documentation to give detailed installation instructions (see documentation\modules\exploit\linux\http\nagios_xi_configwizards_authenticated_rce.md)
• Improve lib\msf\core\exploit\remote\http\nagios_xi\login.rb to make the return structure consistent (currently reversed on failure from success) (Add NagiosXI authenticated RCE (CVE-2021-25296, CVE-2021-25297,CVE-2021-25298) exploit module #17494 (comment))

Generally, these modules can also be cleaned up and shortened similarly to how the config wizards RCE module was through PR.

Motivation

Currently, these modules will fail with AutoCheck disabled, so we want to improve that first and foremost. Additionally, the version checking and error codes will provide more support when running the modules against old versions of NagiosXI.

Vulnerable Software

In general, older versions of NagiosXI can be found:

• As an OVA (replace version number in the link to the one you want to download): https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.7.5-64.ova
• As a package: https://www.nagios.com/downloads/nagios-xi/older-releases/

documentation\modules\exploit\linux\http\nagios_xi_configwizards_authenticated_rce.md has detailed installation instructions if help is needed on install

[Sidharthareddy99]

I want to work on this issue please assign me this issue.

[gwillcox-r7]

@Sidharthareddy99 Your assigned now, let me know if you need additional info on anything.

[k0pak4]

Yup feel free to ask questions if you need @Sidharthareddy99 , it's very top of mind at the moment 😅

[gwillcox-r7]

Unassigning for now, if a PR is put up though I can reassign. We mostly use assignment internally to track who is working on what. Anyone is free to put up a PR to fix an issue at any time, at which point we can look into assigning people at that point

[XEHIL]

Can I get to work on this? I'd like to contribute.

[gwillcox-r7]

Sure @XEHIL, feel free to take it on 👍 Do you need help forking the repo? I see you haven't done so yet.

[XEHIL]

@gwillcox-r7 thank you. I was waiting for the issue to be assigned.

[gwillcox-r7]

#17820 resolves most of these issues however the final two points still stand. Reopening this issue as they will need to be addressed before we can consider this truly fixed.

[AlejandroCantu]

Hi @gwillcox-r7 I am a student at UT Austin in the Ethical Hacking class who would like to contribute on this issue as a final project for the class. I see the final two points stand, but upon reading this comment, it seems there is deeper structural changes and checks to pass if the order of the return values of visit_nagios_dashboard change? I'm not sure I fully understand the issue because the place where visit_nagios_dashboard is called does not use the return values. Could you help me understand where these return values from visit_nagios_dashboard are used?

[gwillcox-r7]

Hi @gwillcox-r7 I am a student at UT Austin in the Ethical Hacking class who would like to contribute on this issue as a final project for the class. I see the final two points stand, but upon reading this comment, it seems there is deeper structural changes and checks to pass if the order of the return values of visit_nagios_dashboard change? I'm not sure I fully understand the issue because the place where visit_nagios_dashboard is called does not use the return values. Could you help me understand where these return values from visit_nagios_dashboard are used?

So as for the issue I think the main problem is seen at

metasploit-framework/lib/msf/core/exploit/remote/http/nagios_xi/login.rb

Lines 251 to 257 in f6c8181

	return [5, [auth_cookies, nsp]]
	end
	# Return the HTTP resonse body and the authentication cookies.
	# The response body can be used to obtain the version number.
	# The cookies can be used by exploit modules to send authenticated requests.
	[0, [res_index.body, auth_cookies]]

where we can see that for one response the response cookies come first and then the response body and yet in another response the response body comes first and then the cookies.

Ideally we should be using hashes here as well instead of arrays to prevent issues related to positional issues. However we decide to do this though, all calling code will need to be updated to account for the changes that we make.

As for where the return codes from visit_nagios_dashboard are used, you will want to see where it is called from first. Sourcegraph is a great tool to help with this. https://sourcegraph.com/github.com/rapid7/metasploit-framework with context:global repo:^github\.com/rapid7/metasploit-framework$ is a good start and then we can search for visit_nagios_dashboard there.

Looking for this shows one reference at https://sourcegraph.com/github.com/rapid7/metasploit-framework/-/blob/lib/msf/core/exploit/remote/http/nagios_xi/login.rb?L180 which is in the nagios_xi_login function. Click on that function name and then "View References" and you should see about 15 references from where that is called.

Let me know if that is clear or not, I know code navigation took some time for me to wrap my head around so I'm happy to help with any questions you might have 👍

[AlejandroCantu]

Grant, I've got a solution that standardizes the authentications in the NagiosXI Scanner and one of the older exploits to not directly call nagios_xi_login, but use authenticate, like nagios_xi_configwizards_authenticated_rce.rb.

Firstly, I changed the order of the return from visit_nagios_dashboard and changed authenticate accordingly. Also made a small change to extract_auth_cookies for the new format, which doesn't break anything else since this is the only call to extract_auth_cookies.

I then changed around some comments to be more accurate.

Take a look at my PR when you can! I have the code there so you can take an initial look at it but I neeed to test these modules out myself now.

[nrathaus]

@k0pak4 this issue seems to have been resolved - can you comment

[k0pak4]

@nrathaus it looks like the last two requirements are not resolved as far as I can tell? The PR addressing the last one was closed with an attic tag, and from what I see the response codes still are sent in the same format? Unless I'm missing something I don't think the last requirement is addressed

[nrathaus]

Previous versions of NagiosXI are listed here: https://assets.nagios.com/downloads/nagiosxi/versions.php

[k0pak4]

@nrathaus yes the previous versions are also listed in the original description, but I don't think this is fully addressed