A privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php.
“[Nagios XI] Provides monitoring of all mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. Hundreds of third-party addons provide for monitoring of virtually all in-house applications, services, and systems”. For more information visit https://www.nagios.com/products/nagios-xi/.
The Nagios XI user can run via sudo the file /usr/local/nagiosxi/scripts/repair_databases.sh. Such file evaluates the output of php $BASEDIR/import_xiconfig.php to import the current Nagios XI configuration:
| |
Which in turn imports another PHP file:
| |
/usr/local/nagiosxi/html/config/config.inc.php is writable by the Nagios XI user:
| |
It is possible to poison /usr/local/nagiosxi/html/config/config.inc.php and gain root privileges.
| |
An attacker with command execution privileges as Nagios XI can elevate its privileges and take full control of the Nagios XI host.
Upgrade to Nagios XI 5.5.11 or later. (Note: we didn’t verify the patch.)
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.com/advisories/nagiosxi-config.inc-privilege-escalation/
Date
10 April 2019