-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Nagios XI Plugins Filename Authenticate RCE module and docs (CVE-2020-35578) #14700
Add Nagios XI Plugins Filename Authenticate RCE module and docs (CVE-2020-35578) #14700
Conversation
This is exploitable since 5.4.4 and possibly earlier. It is not exploitable in 5.2.3. Unfortunately I don't have any 5.3.x systems to test. NagiosXI 5.7.5 (success)
NagiosXI 5.6.0 (success)
NagiosXI 5.5.0 (success)
NagiosXI 5.4.10 (success)
NagiosXI 5.4.4 (success)
NagiosXI 5.2.3 (fail)
|
Nagios Xi 5.3.0 is also vulnerable, so I will assume the vulnerable range (inclusive) is 5.3.0 - 5.7.9 Nagios XI 5.3.0 (success)
|
The latest commit uses the updated mixin and updates the version and docs. Nagios XI 5.3.0 running on CentOS 7 - Linux target
Nagios XI 5.7.5 running on CentOS 7 - CMD target
|
documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce.rb
Show resolved
Hide resolved
when 1..3 | ||
return CheckCode::Unknown(res_array[0]) | ||
when 5 # the Nagios XI license agreement still has not been signed | ||
return CheckCode::Detected('Failed to sign the license agreement.') | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my discussion on your other PR at #14701 (comment) r.e not handling cases where the result is 0 or 4 here, and how this can lead to issues down the line.
Note this also affects your @auth_cookies
line below but I have minimized this to one comment for brevity's sake.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See https://github.com/rapid7/metasploit-framework/pull/14701/files#r612653906 for more info. Basically this problem is still valid but after further discussion it was determined to be unlikely to be encountered. We will still leave this issue open for future travelers though.
print_good('Successfully authenticated to Nagios XI') | ||
|
||
# Obtain the Nagios XI version | ||
@auth_cookies = res_array[1] # if we are here, this cannot be nil since the mixin checks for that already |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again see discussion above, this value can actually be nil
in the case where login_result
is 4.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copied from https://github.com/rapid7/metasploit-framework/pull/14701/files#r612660759:
Right so technically speaking the only cases that we can hit in this case are 0 and 4, the other cases will be caught by the checks above. As mentioned at https://github.com/rapid7/metasploit-framework/pull/14701/files?file-filters%5B%5D=.rb#r612656355 whilst it is possible that case 4 could be encountered, at this point it is very unlikely given the checks that will have occurred previously, and if such a case does happen it would mean that something is seriously wrong with the NagiosXI install.
When login_result
is 0 though, the result will be [0, [res_index.body, auth_cookies]]
in which case this makes sense.
I will leave this comment here though as a warning though as if the mixin does expand and lets say option 6 is added where the second element is not an array containing at least two elements then this line will end up failing so caution is advised.
modules/exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
Alright I resolved all issues minus the two that we agreed would remain open as there is little chance of them being hit but we wanted to make people aware of the issue in case people encounter the issue in the future. Rest will be fixed in a commit I will push up in a second, after which I will then start testing. |
Alright so looks like I did find a small error which we may also have to fix in the previous PR I landed as well. In particular in the
The problem with this is that depending on the release,
|
Exploit works brilliantly on a Nagios XI 5.5.6 target, will upload updated documentation shortly. Seems its just the issue mentioned above that I'll need to address. |
Alright I came up with this regex which should help prevent the issue above:
Note that cause of the print_status output though we will still print out the correct target version. Oh and with this update we now get the right output:
|
…e cases where the version number may not be in a format that Rex::Text can immediately handle.
Release NotesNew module |
About
This changes adds a module to
modules/exploit/linux/http/
that exploits an OS command injection vulnerability (CVE-2020-35578) in Naxios XI version 5.7.X (and possibly older versions) to achieve remote code execution as theapache
user. Thecheck
method takes advantage of the Nagios XI mixin introduced in PR #14697. This PR also adds documentation.Vulnerable Application
Nagios XI version 5.7.X (and possibly older versions)
Verification Steps
use exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce
set RHOSTS [IP]
set USERNAME [username for the Nagios XI account]
set PASSWORD [password for the Nagios XI account]
set target [target]
set payload [payload]
set LHOST [IP]
exploit
Options
PASSWORD
The password for the Nagios XI account to authenticate with.
TARGETURI
The base path to Nagios XI. The default value is
/nagiosxi/
.USERNAME
The username for the Nagios XI account to authenticate with. The default value is
nagiosadmin
.Targets
Scenarios
Nagios XI 5.7.3 running on CentOS 7 - Linux target
Nagios XI 5.7.3 running on CentOS 7 - CMD target