metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

Improve NagiosXI authenticated exploit modules to increase resilience and for use with Autocheck disabled

Open k0pak4 opened this issue 2 years ago • 15 comments

Summary

During the course of https://github.com/rapid7/metasploit-framework/pull/17494 there were several concerns with how the NagiosXI login mixin was being used in the check method, which prevents the module from working when Autocheck is disabled. Additionally, other improvements were made including cleaner regexes in version detection, nil checks on objects that were assumed to be not nil, and other improvements. After examining the other NagiosXI modules the following modules should be modified to also take advantage of these improvements:

  • modules\exploits\linux\http\nagios_xi_autodiscovery_webshell.rb
  • modules\exploits\linux\http\nagios_xi_mibs_authenticated_rce.rb
  • modules\exploits\linux\http\nagios_xi_plugins_check_plugin_authenticated_rce.rb
  • modules\exploits\linux\http\nagios_xi_plugins_filename_authenticated_rce.rb

Improvements

  • [x] Move the authentication to its own function, and call it in check and exploit when necessary (https://github.com/rapid7/metasploit-framework/pull/17494#discussion_r1092327656)
  • [x] Use better regexes for version detection (https://github.com/rapid7/metasploit-framework/pull/17494#discussion_r1097807544)
  • [x] Refactor case statements to use accurate error codes, error messages, and Failure codes (https://github.com/rapid7/metasploit-framework/pull/17494#discussion_r1096464021)
  • [ ] Improve documentation to give detailed installation instructions (see documentation\modules\exploit\linux\http\nagios_xi_configwizards_authenticated_rce.md)
  • [ ] Improve lib\msf\core\exploit\remote\http\nagios_xi\login.rb to make the return structure consistent (currently reversed on failure from success) (https://github.com/rapid7/metasploit-framework/pull/17494#discussion_r1097985116)

Generally, these modules can also be cleaned up and shortened similarly to how the config wizards RCE module was through PR.

Motivation

Currently, these modules will fail with AutoCheck disabled, so we want to improve that first and foremost. Additionally, the version checking and error codes will provide more support when running the modules against old versions of NagiosXI.

Vulnerable Software

In general, older versions of NagiosXI can be found:

  • As an OVA (replace version number in the link to the one you want to download): https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.7.5-64.ova
  • As a package: https://www.nagios.com/downloads/nagios-xi/older-releases/

documentation\modules\exploit\linux\http\nagios_xi_configwizards_authenticated_rce.md has detailed installation instructions if help is needed on install

k0pak4 avatar Feb 06 '23 20:02 k0pak4