Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of Nagios XI vulnerability analysis and early warning, which is very detailed and has a certain reference value. Friends who are interested must finish it!

0x00 vulnerability background

Nagios Core is an open source system as well as a network monitoring system. It can monitor your designated hosts and services and notify the administrator when those devices "go bad" and "get better". Nagios XI is an extension interface for configuring the manager and using Nagios Core as the back-end toolkit. Nagios XI provides a wide range of user interfaces, configuration editors, advanced reports, monitoring wizards, extensible front-end and back-end, and many other additional features on Nagios Core.

At the end of April, Nagios XI was exposed to many vulnerabilities, such as SQL injection, privilege escalation, command injection and so on. The CVE numbers are respectively CVE-2018-8733 and CVELY 2018-8734, CVELY 2018-8735, CVELY 2018-8736. Then the vulnerability PoC was exposed.

Recently, Nagios XI has released security updates, and 360-CERT conducts an in-depth analysis of this set of vulnerabilities.

Details of 0x01 vulnerability

CVE-2018-8733

Vulnerability location:

/ nagiosql/admin/settings.php

On the GET request, a 302 form is returned, where we can change the database user account with specific parameters.

CVE-2018-8734

Vulnerability location:

/ nagiosql/admin/helpedit.php

When making a POST request, there is a parameter that selInfoKey1 has SQL injection. Here we can make some use of it.

CVE-2018-8735

Vulnerability location:

/ nagiosxi/backend/index.php

When making a request for this form, you can inject the command with the following POST parameter:

Cmd=submitcommand&command=1111&command_data=$ (command_payload)

CVE-2018-8736

The cause of the vulnerability:

The nagiosxi user can write to / usr/local/nagiosxi/scripts/, but the scripts in this directory will run with root privileges. There is an obvious privilege escalation vulnerability.

0x02 makes use of details

We now have four vulnerabilities, one of which is of limited use. However, it can be combined to cause command execution under root permissions.

The steps for utilization are as follows:

Change the current database user to root user through CVE-2018-8733, so that you can get more operation rights.

Use CVE-2018-8734 to inject SQL into the database to get an API key. The key is an authentication certificate, through which we can use API to operate on Nagios XI. The location of the key in the database is: nagiosxi.xi_users.

Use API to add the Nagios XI administrator user with the API address of / nagiosxi/api/v1/system/user?apikey=

After obtaining the status of Nagios XI administrator. Command injection can be done using CVE-2018-8735.

Use command injection to write Playload to the script of / usr/local/nagiosxi/scripts/, because all scripts in this directory are run with root permission, the injected command will get root permission

Impact of 0x03 vulnerabilities

The versions affected by this vulnerability are:

Nagios XI 5.2.6-5.4.12

The global distribution of using Nagios services is as follows:

Most of the Nagios services exposed to the public network are distributed in Europe and the United States, and there are about two hundred in China. As an operation and maintenance monitoring system, Nagios is mostly built in the internal network. There will be a lot of real use.

The effects of vulnerability exploitation are as follows:

The PoC of this group of vulnerabilities has been published and can be attacked remotely with low difficulty and great harm.

0x04 security recommendations

360-CERT recommends that users of Nagios XI upgrade to Nagios XI 5.4.13 as soon as possible.

0x05 timeline

2018-04-30 vulnerability Disclosure and PoC announcement

2018-05-10 Nagios issued a security bulletin

2018-05-17 360-CERT analyzes vulnerabilities

The above is all the contents of the article "sample Analysis of Nagios XI multiple vulnerability Analysis and early warning". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.