|
|
Advisory Information
Advisory ID: NGENUITY-2010-006
Date published: Aug. 7, 2010
Class: Cross-Site Request Forgery (CSRF)
Software Description
Nagios XI is the commercial / enterprise version of the open source
Nagios project.
Vulnerability Description
Nagios XI 2009R1.2B is vulnerable to multiple cross-site request forgery
(CSRF) vulnerabilities. All of the privileged actions tested were
vulnerable to CSRF, not just the ones listed below. It is recommended to
upgrade to version 2009R1.2C or later.
Exploiting the identified vulnerabilities requires that the nagiosadmin
be logged into the web interface. Note that the admin does not have to
be logged into the configuration manager, the attacker can accomplish
that themselves.
Technical Details
Reset the nagiosadmin password via CSRF
This can be useful to hijack the administrators account.
Reset the configuration manager password
The attacker just has the victim visit the following URL. Even if the
nagios admin is not logged into the configuration admin, the attacker can=85
1. Force a password reset of the configuration manager
2. Log the nagiosadmin into the configuration manager
3. Create a simple web shell on the nagios server.
http://10.0.10.28/nagiosxi/admin/credentials.php?options=1
&update=1
&config_admin_password=letmein1
&subsystem_ticket=2objrv9t6glq
&config_backend_password=38ajpt
Log into the configuration manager with previously set password
Modify nagios command to create a webshell when run
Note the \ before the ; in our php code is what makes this possible.
Normally Nagios would not allow for a ; to be input into the command
string unless escaped. PHP will happily still execute this code despite
the \ being there.
Add a Host to make sure our command is triggered, and the web shell created.
Yes this is a long and boring form=85
Original Advisory at http://ngenuity-is.com/advisories/2010/aug/7/nagios-xi-multiple-csrf/
POC Exploit http://evilpacket.net/dev/nagiosxi/