(Non) security monitoring systems: NagiosXI
Nowadays, companies of any size often use one or another monitoring system, periodically in one or the other they find vulnerabilities (which are closed by patches) and weaknesses (which turn a blind eye). Today we will talk about the NagiosXI monitoring system and talk about how to use it during the pentest. And also give the opinion of developers regarding the security problems of their product.
Old versions don't go anywhere
Although we mentioned vulnerability fixes, you can often come across an outdated monitoring system. Further actions are quite trivial. We check the version (for example, using this script ), then we find the list of vulnerabilities for a particular assembly and easily continue the escalation on the network. The relevance of the problem is given by the fact that many CM users do not restrict access from outside. The censys.io scanner, at the request of nagiosxi, reports 1002 available services, and a quick analysis immediately finds systems vulnerable to RCE .
Often, an attacker does not need to have any specialized skills. For a random system from our sample, it’s enough to run a ready-made exploit .
It would seem that it could be worse than server compromise? It's time to recall the existence of auxiliary plug-ins that are updated almost never, and there are no less vulnerabilities in them. You can find the popular NRPE plugin quite often; it is used to execute remote commands on monitored hosts. It is a time bomb if the dont_blame_nrpe option is turned on in its config (which seems to hint), but few people think about security risks when solving their short-term tasks in this way.
In tutorials and guides, it is recommended to use dont_blame_nrpe = 1 in your configurations to fix many errors.
Periodically, we come across the use of an outdated version of this plugin, in which a vulnerability allowsremote code execution .
Developers have time to think about your safety.
Time goes by, vulnerabilities are eliminated, and responsible system administrators timely update their systems, believing that in this way they become protected from intruders. This is partly true - under such conditions, script-kiddy will not be able to do any harm without having an exploit working at hand - but if we are talking about the option in which the attacker begins to investigate the system, then there is a lot of interesting things.
This summer, we have considered the most current version at the time NagiosXI 5.4.8, and found in it a number of weaknesses and vulnerabilities, some xss and the ability to download malware component , add a shell to a web server and will be available to an unauthorized user. We reported this to the developers of the system, after a short time we received a response.
Not a bug, but a feature!
As often happens, the salvation of drowning people is the work of the drowning people themselves. Given the unhindered ability to sort passwords, not to mention systems with standard credentials, vulnerable systems will be enough for a small botnet. Apparently, the ability to leave the shell after entering the administrative panel will not be eliminated for quite some time, until this problem is perceived by the developers as a bug.
Of course, we understand how the development of products in IT companies takes place.
Something like that
But we cannot but pay attention to the fact that in August the POC of the social attack vector was introduced , which, after one inaccurate user click, adds a shell to the remote server . The developers promised to filter the values that fall into the variables, but after six months in version 5.4.12, nothing has changed in this regard.
In order to make it easier for researchers and administrators to identify threats to the monitoring systems appear periodically updated chitschit Operating CM . Click here for more information on the above vectors for attack during penetration testing.
Finally
I would also like to note that similar materials are being prepared for other popular (and not so) monitoring systems. Special thanks to these guys: ro421 , PenGenKiddy , sabotaged , NetherNN .
In addition, all concerned can contribute to the formation of this memo and supplement it with their materials on any monitoring system known to you.