Add fix to nagios_xi_plugins_check_ping_authenticated_rce.rb to Ensure Old Versions Can Still Be Detected As Being Vulnerable

[gwillcox-r7]

Some old versions of Nagios XI had unusual version numbering such as 5r1.0. Unfortunately whilst testing this PR I forgot to add the regex that is in the other modules to this, which is basically the following line:

if /^\d{4}R\d\.\d/.match(nagios_version) || /^\d{4}RC\d/.match(nagios_version) || /^\d{4}R\d.\d[A-Ha-h]/.match(nagios_version) || nagios_version == '5R1.0'
      nagios_version = '1.0.0' # Set to really old version as a placeholder. Basically we don't want to exploit these versions.
    end

The reason this line is necessary before calling Rex::Version::new(nagios_version) is that Rex::Version does not handle cases where the version number contains letters within its contents. Therefore we must set the value of nagios_version to some number. However as we don't really care about versions older than 5.6.6 in this exploit, as they are all vulnerable anyway, we just set it to 1.0.0 as a placeholder to just indicate that this version of NagiosXI is vulnerable.

Note that this fix is applied after the line print_status("Target is Nagios XI with version #{nagios_version}") so we will still print out the correct version of NagiosXI that is installed on the target, and this fix only affects the logic of determining if the target is vulnerable or not.

Verification

List the steps needed to make sure this thing works

• Grab a copy of CentOS 7.
• Install a really old version of Nagios XI on it such as 5.2.8 or 5.2.7 that has odd naming in its version number (aka the version number has some characters or similar in it).
• Verify that running the check method now returns the vulnerable version that is installed on the target and that the module now identifies the target as being vulnerable without crashing the module.

[gwillcox-r7]

Confirmed this seems to be working as expected:

msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > show options

Module options (exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   FINISH_INSTALL  false            no        If the Nagios XI installation has not been completed, try to do so. This includes s
                                              igning the license agreement.
   PASSWORD                         yes       Password to authenticate with
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT           80               yes       The target port (TCP)
   SRVHOST         0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the lo
                                              cal machine or 0.0.0.0 to listen on all addresses.
   SRVPORT         8080             yes       The local port to listen on.
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI       /nagiosxi/       yes       The base path to the Nagios XI application
   URIPATH                          no        The URI to use for this exploit (default is random)
   USERNAME        nagiosadmin      yes       Username to authenticate with
   VHOST                            no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux (x64)


msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > set LHOST 172.21.163.243
LHOST => 172.21.163.243
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > set PASSWORD nagiosadmin
PASSWORD => nagiosadmin
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > set RHOSTS 172.21.168.44
RHOSTS => 172.21.168.44
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > check

[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 2014R2.7
[*] 172.21.168.44:80 - The target appears to be vulnerable.
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) >

[gwillcox-r7]

Release Notes

Fixed a bug in the check logic of the nagios_xi_plugins_check_ping_authenticated_rce module whereby older versions of Nagios XI may have caused the module to crash instead of correctly reporting a target as being vulnerable or not.