niedziela, 29 kwietnia 2018

Few bugs in latest Nagios XI 5.4.13

As you probably already know from time to time I'm trying to work on small and simple python script - called modus.py[1,2]. It's also fun to run some VM in the background (for example with some webapp - like Bitnami's VM collection [3,4,5]) and start to do a blackbox test to find some cases to future analysis... This time below you will find few results for 'latest' Nagios XI - 5.4.13. Here we go...

I found available VM machine on the link presented below:



 
    All cases presented below should be exploitable from normal/registered user.

#01 - Report name:



More details you will find in ./components/scheduledreporting/ directory:



As far as I'm concern 3 parameters here are vulnerable to XSS attacks: hour, minute, ampm.

When you will click button to 'schedule' the report you are looking for, then you will have a chance to add persistent XSS code. Example (of h1 ... /h1) below:

More details below:


 It's also easy to store some JavaScript code:


#02 - page vector:


You need to put the XSS code in the field in red table:


More below:


#03 - XSS in 'args' - ajaxhelper.php:

Response grabbed by Burp:

#04 - background - same file:


Response similar to the #03 case:


#05 - i[] in ajax_handler.php:


Response:



Now. If you can share your scheduled reports with other users, there is a possibility of RCE attack.

If your XSS/CSRF will add 'new command' (for example:


) you can check the 4444/tcp port (in this case...). In other words, if you can create new command - you can own the Nagios server:


I think we are ready:


 ... to go:



Checking:




 :]

#06 - XSS in title parameter - deploy:




Response:




After all of that there was one more "bug" I found interesting. Admin user was able to read local files. I was wondering if the same functionality is available for 'other users' (in this case - for my registered "normal" user). This is what I've found:


As you can see the screen was created for 'admin' user. I decided to switch to 'tester' user and check if xiwindow parameter will also be available:


Maybe you will find it useful. ;]

In case of any questions you know how to find me.

Cheers!

o/

Brak komentarzy:

Prześlij komentarz