Add NagiosXI authenticated RCE (CVE-2021-25296, CVE-2021-25297,CVE-2021-25298) exploit module

[k0pak4]

This PR adds an exploit module for three CVEs (CVE-2021-25296, CVE-2021-25297, CVE-2021-25298) that perform command injection against NagiosXI 5.7.5. It utilizes the Nagios login mixin for target verification and authentication.

Verification

• Start msfconsole
• use exploit/linux/http/nagios_xi_configwizards_authenticated_rce
• set RHOSTS TARGET_IP
• set RPORT 443
• set SSL true
• set USERNAME USER
• set PASSWORD PASSWORD
• set TARGET_URL_PARAM plugin_output_len
• set LHOST YOUR_IP
• set LPORT YOUR_LISTENING_PORT
• run

Vulnerable Software

The easiest way to test is against the official OVA (https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.7.5-64.ova).) but installing it manually on linux is also an option.

[k0pak4]

FWIW the lint failure appears to be unrelated, the error is about a file read issue and it can't be rerun

[gwillcox-r7]

@k0pak4 Seems like this was a GitHub cache issue that caused an issue due to missed cache hit. I reran the checks so that things should now pass.

[k0pak4]

Thanks @gwillcox-r7 ! Normally I can rerun failed checks, but maybe I couldn't this time because it's a PR based check and not a normal branch one 🤷‍♂️ Appreciate the assist!

[gwillcox-r7]

Thanks @gwillcox-r7 ! Normally I can rerun failed checks, but maybe I couldn't this time because it's a PR based check and not a normal branch one 🤷‍♂️ Appreciate the assist!

Yeah a few of them normal people can't rerun, not sure why that one specifically was blocked but I know we had some security concerns recently about bots running automatically on code so it may have been updated as part of those set of fixes 🤷

[gwillcox-r7]

Haven't fully reviewed the check method but left some comments on what needs fixing in the meantime. Once this is fixed up I can take a look over the check code again since the module will likely need some adjustments to fix some of the issues mentioned.

[k0pak4]

@gwillcox-r7 I addressed all of the PR comments except for testing prior NagiosXI versions. I'll do that today but wanted to push the rest up in the meantime. If older versions hit, I'll update the code & docs to reflect that. The biggest changes are: adding switch wizard support, moving authenticate to a separate function, performing the authenticate either in check or exploit to support not using autocheck but without authenticating twice, and changing the target parameter to be the wizard. I'll wait for feedback before opening an issue for the other NagiosXI module I saw using a similar check style. I'll probably end up doing that myself now that I have a good NagiosXI workflow/environment but in case I don't I want to make sure it doesn't slip through the cracks.

[gwillcox-r7]

Thanks @k0pak4 will go through this now and review 👍

[k0pak4]

Thanks @gwillcox-r7 . Turns out it's actually vulnerable from 5.5.6 to 5.7.5. Before 5.5.8, the ip_address parameter is named address, so I had to re-work some of the check to have authenticate also set the version string since it has the response body available. Thanks for the suggestion to check older versions! I'll send in update requests for the CVEs to reflect that.

[gwillcox-r7]

Thanks @gwillcox-r7 . Turns out it's actually vulnerable from 5.5.6 to 5.7.5. Before 5.5.8, the ip_address parameter is named address, so I had to re-work some of the check to have authenticate also set the version string since it has the response body available. Thanks for the suggestion to check older versions! I'll send in update requests for the CVEs to reflect that.

Awesome, glad to hear you were able to get this working with more versions! 😄

[gwillcox-r7]

@k0pak4 Looks like most comments were resolved. Still have an outstanding concern r.e the check method. See comments above for more info. I went ahead and fixed the other issues so long where relevant (there were only 2-3 or so) so the code should be ready to review again after this is fixed.

[k0pak4]

@gwillcox-r7 I addressed all the requested changes I think. I tested the module again as well after all the changes. The documentation should be more thorough on the installs, and the check/authenticate should give more detailed statuses and error messages by propagating the ones returned from nagios_xi_login. I also added the requested checks for nil values, etc. so it should be more resilient

[gwillcox-r7]

A few comments from reviewing the PR comments I left.

[gwillcox-r7]

Alright I think this should be ready for testing, just going over the 4 commits you made to see if there is anything I might have missed, and then will set up a target and test the module against it. Thanks for all the effort you put into this, at over 100 comments I know this is growing a bit long in the tooth but should get this landed soon 👍

[k0pak4]

Alright I think this should be ready for testing, just going over the 4 commits you made to see if there is anything I might have missed, and then will set up a target and test the module against it. Thanks for all the effort you put into this, at over 100 comments I know this is growing a bit long in the tooth but should get this landed soon 👍

I think the module is in a much better place now, I appreciate the thorough and detailed reviews. I checked the other authenticated NagiosXI modules and they could take advantage of some of the suggestions and updates made to this module, so I opened an issue for it (#17606). Given that a lot of the code could be reused during fixing, and that NagiosXI is fairly easy to install even older versions, it's probably a good candidate to be labeled newbie-friendly

[gwillcox-r7]

Alright I think this should be ready for testing, just going over the 4 commits you made to see if there is anything I might have missed, and then will set up a target and test the module against it. Thanks for all the effort you put into this, at over 100 comments I know this is growing a bit long in the tooth but should get this landed soon 👍

I think the module is in a much better place now, I appreciate the thorough and detailed reviews. I checked the other authenticated NagiosXI modules and they could take advantage of some of the suggestions and updates made to this module, so I opened an issue for it (#17606). Given that a lot of the code could be reused during fixing, and that NagiosXI is fairly easy to install even older versions, it's probably a good candidate to be labeled newbie-friendly

Thanks added the newbie-friendly and easy tags so it should be easier for those new to Metasploit to work on this 👍

[gwillcox-r7]

Fixed a few issues I noticed in the docs review, namely some incorrect CVE numbers due to me switching some of the numbers around, and an update to accommodate the 5.5.7 point on the parameter name changing. Still need to add a scenario for 5.5.6 so we have our range of testing to claim we cover the versions we claim to target; atm we just have 5.7.5 as tested in the documentation.

[k0pak4]

Fixed a few issues I noticed in the docs review, namely some incorrect CVE numbers due to me switching some of the numbers around, and an update to accommodate the 5.5.7 point on the parameter name changing. Still need to add a scenario for 5.5.6 so we have our range of testing to claim we cover the versions we claim to target; atm we just have 5.7.5 as tested in the documentation.

Good point. I have 5.5.6 installed currently so just added a scenario for it, specifically with CVE-2021-25297 since it uses a different parameter in that version, so is a better representative example

[gwillcox-r7]

Thanks for the example addition @k0pak4!

[gwillcox-r7]

Some minor changes left I noticed. I'll try fix these up where I can though, but this should be last of it for real this time.

[gwillcox-r7]

This should be good to land once tests pass. I addressed the updates from above in the last commit then squashed things down to remove all the references to fixes. Tried to keep the commit messages for those fixes that were important and well described.

Thanks for PRing this @k0pak4 and appreciate your help on all this!

[k0pak4]

This should be good to land once tests pass. I addressed the updates from above in the last commit then squashed things down to remove all the references to fixes. Tried to keep the commit messages for those fixes that were important and well described.

Thanks for PRing this @k0pak4 and appreciate your help on all this!

Thanks for the thorough PR, I know it was a lot of changes so I appreciate it 🎉 Thanks for tidying up the commit history too, it was certainly getting messy

[gwillcox-r7]

Release Notes

A new authenticated RCE module for NagiosXI has been added which exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298 to get a shell as the apache user on NagiosXI devices running version 5.5.6 to 5.7.5 inclusive.