Nagios modules

Community member Erik Wynter has contributed two more Nagios XI modules this week, on top of the previous week’s contributions! If you’ve noticed Nagios XI 5.6.0 to 5.7.5 running within your target’s infrastructure during a pen test, be sure to check both these new modules out as well as the previous week’s contributions, as they provide both authenticated and unauthenticated remote code injection.

JSON RPC service improvements

Fresh out of the oven, Metasploit now warms up its JSON RPC service before accepting traffic. This week’s release ensures that Metasploit is now alive, warmed up, and healthy prior to binding the HTTP server to the host machine. If you’re not familiar with this functionality, Metasploit’s Remote Procedure Call (RPC) API allows you to programmatically drive the Metasploit Framework and commercial products using HTTP requests. This allows you to build powerful tools and functionality around Metasploit’s core engine to automate complex workflows without interacting directly with the Metasploit console as a user would. The JSON RPC Service is a more modern alternative to the older MessagePack implementation that is still available for use.

Command shell session validation

Thanks to the work of our very own Spencer McIntyre in pull request #15051, Metasploit will now automatically validate that the session is established and responsive. The intention is to help users by automatically determining sessions are valid before they can be used, to help avoid failed module runs. These new changes work in POSIX shells as well as Windows' command shell and PowerShell. This validation works by sending an echo command and verifying that the response is received back as expected.

New Module Content (3)

  • Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection by Chris Lyne, Erik Wynter, and Matthew Aberegg, which exploits CVE-2020-5791 - A new module has been added to exploit CVE-2020-5791, an OS command injection vulnerability in the admin/mibs.php page of NagiosXI 5.6.0 to 5.7.3 inclusive. Successful exploitation requires valid credentials for an administrative user and grants RCE as the apache or www-data user.
  • Nagios XI 5.5.0-5.7.3 - Snmptrap Authenticated Remote Code Exection by Chris Lyne and Erik Wynter, which exploits CVE-2020-5792 - A new module has been added to exploit CVE-2020-5792, an authenticated command injection vulnerability in the includes/components/nxti/index.php page of Nagios XI prior to 5.7.4. Successful exploitation results in RCE as the apache user.
  • Cockpit CMS NoSQLi to RCE by Nikita Petrov and h00die, which exploits CVE-2020-35846 - Adds a new module to exploit CockpitCMS versions 0.10.0 through 0.11.1. This module uses two NoSQL injections to get the user list, and password reset token list, enumerate the tokens to the users, reset a password, login, then a command injection for RCE.

Enhancements and features

  • #15051 from zeroSteiner - Verify that shell sessions are established and responsive by sending an echo command and verifying that a response is received.
  • #15072 from pingport80 - The post/linux/gather/hashdump module has been improved so that instead of checking if the user is root, it will now instead check if the user has access to the /etc/shadow file prior to attempting to dump the hashes from the shadow file. This allows users to dump password hashes in the case where the permissions of the /etc/shadow file may be set up incorrectly, even if they are not the root user.

Bugs Fixed

  • #15022 from adfoster-r7 - Ensures that the Metasploit JSON RPC service is warmed up and healthy before accepting requests
  • #15063 from gwillcox-r7 - The check logic of nagios_xi_plugins_check_ping_authenticated_rce.rb was updated to fix a bug whereby older versions of Nagios XI may have caused the module to crash instead of correctly reporting a target as being vulnerable or not.
  • #15064 from wvu-r7 - A undefined constant error in f5_bigip_known_privkey.rb was fixed by adding a missing import.
  • #15065 from pingport80 - Fix an issue in the post/linux/gather/checkvm module where a physical machine was detected as a virtual machine.
  • #15067 from jmartin-r7 - The lib/metasploit/framework/login_scanner/ssh.rb has been improved so that it now correctly handles cases where the connection might be reset by a client and continues scanning instead of throwing a stack trace.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).