niedziela, 29 kwietnia 2018

Few bugs in latest Nagios XI 5.4.13

As you probably already know from time to time I'm trying to work on small and simple python script - called[1,2]. It's also fun to run some VM in the background (for example with some webapp - like Bitnami's VM collection [3,4,5]) and start to do a blackbox test to find some cases to future analysis... This time below you will find few results for 'latest' Nagios XI - 5.4.13. Here we go...

I found available VM machine on the link presented below:

    All cases presented below should be exploitable from normal/registered user.

#01 - Report name:

More details you will find in ./components/scheduledreporting/ directory:

As far as I'm concern 3 parameters here are vulnerable to XSS attacks: hour, minute, ampm.

When you will click button to 'schedule' the report you are looking for, then you will have a chance to add persistent XSS code. Example (of h1 ... /h1) below:

More details below:

 It's also easy to store some JavaScript code:

#02 - page vector:

You need to put the XSS code in the field in red table:

More below:

#03 - XSS in 'args' - ajaxhelper.php:

Response grabbed by Burp:

#04 - background - same file:

Response similar to the #03 case:

#05 - i[] in ajax_handler.php:


Now. If you can share your scheduled reports with other users, there is a possibility of RCE attack.

If your XSS/CSRF will add 'new command' (for example:

) you can check the 4444/tcp port (in this case...). In other words, if you can create new command - you can own the Nagios server:

I think we are ready:

 ... to go:



#06 - XSS in title parameter - deploy:


After all of that there was one more "bug" I found interesting. Admin user was able to read local files. I was wondering if the same functionality is available for 'other users' (in this case - for my registered "normal" user). This is what I've found:

As you can see the screen was created for 'admin' user. I decided to switch to 'tester' user and check if xiwindow parameter will also be available:

Maybe you will find it useful. ;]

In case of any questions you know how to find me.



Brak komentarzy:

Prześlij komentarz