Community member Erik Wynter has contributed two more Nagios XI modules this week, on top of the previous week’s contributions! If you’ve noticed Nagios XI 5.6.0 to 5.7.5 running within your target’s infrastructure during a pen test, be sure to check both these new modules out as well as the previous week’s contributions, as they provide both authenticated and unauthenticated remote code injection.
Fresh out of the oven, Metasploit now warms up its JSON RPC service before accepting traffic. This week’s release ensures that Metasploit is now alive, warmed up, and healthy prior to binding the HTTP server to the host machine. If you’re not familiar with this functionality, Metasploit’s Remote Procedure Call (RPC) API allows you to programmatically drive the Metasploit Framework and commercial products using HTTP requests. This allows you to build powerful tools and functionality around Metasploit’s core engine to automate complex workflows without interacting directly with the Metasploit console as a user would. The JSON RPC Service is a more modern alternative to the older MessagePack implementation that is still available for use.
Thanks to the work of our very own Spencer McIntyre in pull request #15051, Metasploit will now automatically validate that the session is established and responsive. The intention is to help users by automatically determining sessions are valid before they can be used, to help avoid failed module runs. These new changes work in POSIX shells as well as Windows’ command shell and PowerShell. This validation works by sending an echo
command and verifying that the response is received back as expected.
admin/mibs.php
page of NagiosXI 5.6.0 to 5.7.3 inclusive. Successful exploitation requires valid credentials for an administrative user and grants RCE as the apache
or www-data
user.includes/components/nxti/index.php
page of Nagios XI prior to 5.7.4. Successful exploitation results in RCE as the apache
user.echo
command and verifying that a response is received.post/linux/gather/hashdump
module has been improved so that instead of checking if the user is root
, it will now instead check if the user has access to the /etc/shadow
file prior to attempting to dump the hashes from the shadow file. This allows users to dump password hashes in the case where the permissions of the /etc/shadow
file may be set up incorrectly, even if they are not the root
user.check
logic of nagios_xi_plugins_check_ping_authenticated_rce.rb
was updated to fix a bug whereby older versions of Nagios XI may have caused the module to crash instead of correctly reporting a target as being vulnerable or not.f5_bigip_known_privkey.rb
was fixed by adding a missing import.lib/metasploit/framework/login_scanner/ssh.rb
has been improved so that it now correctly handles cases where the connection might be reset by a client and continues scanning instead of throwing a stack trace.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).