A privilege escalation in Nagios XI before 5.5.11 allows local attackers to elevate privileges to root via write access to config.inc.php.
“[Nagios XI] Provides monitoring of all mission-critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. Hundreds of third-party addons provide for monitoring of virtually all in-house applications, services, and systems”. For more information visit https://www.nagios.com/products/nagios-xi/.
The Nagios XI user can run via sudo the file
/usr/local/nagiosxi/scripts/repair_databases.sh. Such file evaluates the output of
php $BASEDIR/import_xiconfig.php to import the current Nagios XI configuration:
Which in turn imports another PHP file:
/usr/local/nagiosxi/html/config/config.inc.php is writable by the Nagios XI user:
It is possible to poison
/usr/local/nagiosxi/html/config/config.inc.php and gain root privileges.
An attacker with command execution privileges as Nagios XI can elevate its privileges and take full control of the Nagios XI host.
Upgrade to Nagios XI 5.5.11 or later. (Note: we didn’t verify the patch.)
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.com/advisories/nagiosxi-config.inc-privilege-escalation/
10 April 2019