wtorek, 31 grudnia 2019

Postauth RCE in latest NagiosXI

Last time I described few XSS bugs for latest Nagios (5.6.9). During the research and code review I found a possibility for RCE. Below you will find the details from the journey. Here we go...

We will (again) start here:

I used 'latest' available version - 5.6.9 - for VirtualBox, downloaded here.

As you (probably;)) read/remember, in scheduled reporting we have a persistent XSS. Sometimes when I found a bug 'related to OWASP' (so for example: XSS) I'm trying to check the source code of webapp ('if available') to look for similar cases:

So, to see a bigger picture:

As you can see on the screen:
- we can create file on server
- we can inject some garbage on the filename (like '> or ">)
- we are using php 'to run command'

Cool. My goal was to get RCE here. ;)

So the case was:
- attacker (logged-in normal/registered user) will inject malicious payload in scheduler
- scheduler will run attached code when using cron*

*(in source you will see that our injection is possible when script will do: rm -f <ourString> but we will get to that later;))

Checking again (and again...):

Still nothing. The case is: how to inject a string to cron-not-to-php? Hm... I (still) don't know yet.

I tried to use the same command (in other shell windows) as was the command injected to the (created) script. I was wondering, maybe I'll find the injection string this way...

Still - nope.

So after a 'day with Nagios VM' we should be somewhere here, reading logs ;)

we are here again:

After few more times/requests I decided to check logs again... this time I found this:

Well. Yes, /etc/issue is printed to the log file ;D

As you can see, payload should write file to /tmp/qwe. And in fact, it is true, but we are looking in wrong /tmp/ directory. ;) Check it out:

So no we should be somewhere here, verifying:

I used revshell from pentestmonkey (thanks!):

Quick configuration and we should be here:

That's all. ;)

If you like the post (and my blog) - remember that now you can send some donate$ ;)

Happy new year and see you next time!


Brak komentarzy:

Prześlij komentarz