A privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php.
“[Nagios XI] Provides monitoring of all mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. Hundreds of third-party addons provide for monitoring of virtually all in-house applications, services, and systems”. For more information visit https://www.nagios.com/products/nagios-xi/.
The Nagios XI user can run via sudo the file /usr/local/nagiosxi/scripts/repair_databases.sh
. Such file evaluates the output of php $BASEDIR/import_xiconfig.php
to import the current Nagios XI configuration:
|
|
Which in turn imports another PHP file:
|
|
/usr/local/nagiosxi/html/config/config.inc.php
is writable by the Nagios XI user:
|
|
It is possible to poison /usr/local/nagiosxi/html/config/config.inc.php
and gain root privileges.
|
|
An attacker with command execution privileges as Nagios XI can elevate its privileges and take full control of the Nagios XI host.
Upgrade to Nagios XI 5.5.11 or later. (Note: we didn’t verify the patch.)
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.com/it/advisories/nagiosxi-config.inc-privilege-escalation/
Data
10 aprile 2019