|
Description
|
|
(#Several vulnerabilities have been identified in Nagios XI:#- Privilege escalation (0-day). A remote attacker, with administrative privileges, could exploit it by uploading a profile.zip archive containing a malicious getprofile.sh file and a profile.php file calling the shell script in order to execute arbitrary commands with root privileges. This vulnerability is due to the insecure implementation of the application?s component upload functionality##- SQL injection in the 'host? and 'service? GET parameters of the 'nagiosim.php? page, allowing retrieval of sensitive information such as the administrative users? password hash (unsalted MD5) or the token used to authenticate to the Nagios XI REST API##- Command injection in the 'title' and 'end' GET parameters of respectively the 'nagiosim.php? and the 'graphApi' page, allowing for arbitrary code execution in the context of the 'apache' user##- Server-Side Request Forgery in the 'proxyurl' GET parameter of the "ajaxproxy.php" page, and in the 'url' parameter. A remote attacker can exploit it by sending a specially crafted application request in order to perform several operations like scan and attack systems on the LAN or enumerate services on these systems.##- Account Hijacking. A remote attacker could exploit it by using a token intended for changing a limited user's password in a specially crafted POST request in order to reset an administrative account's password.##Proofs of concept are available.#Updated, 21/07/2016:#An exploitation code for these vulnerabilities has been added to the Metasploit framework.)
|
