Add templates for CVE-2021-25296, CVE-2021-25297, CVE-2021-25298

[k0pak4]

Template / PR Information

• Added CVE-2021-25296, CVE-2021-25297, CVE-2021-25298

References:

• Add NagiosXI authenticated RCE (CVE-2021-25296, CVE-2021-25297,CVE-2021-25298) exploit module rapid7/metasploit-framework#17494
• https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details

Details on exploiting the actual CVEs can be found in one of the two locations:

• Add NagiosXI authenticated RCE (CVE-2021-25296, CVE-2021-25297,CVE-2021-25298) exploit module rapid7/metasploit-framework#17494
• https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md

[ritikchaddha]

Hello @k0pak4, thank you so much for sharing this template with the community and contributing to this project 🍻,
As I can see, this template was sent half-finished; could you please update it with the matchers?

[k0pak4]

@ritikchaddha oh of course, just totally missed it. This is an authenticated RCE and my first template, any advice on setting up a correct matcher?

[ritikchaddha]

So, for the authenticated templates you need to first add the login request like this, after that add the request that executes the RCE.
For the matchers you can take some references from the same link above.

I hope this helps. Just drop a message here in case you need more help.

[k0pak4]

@ritikchaddha Thanks for the pointers! I completed the templates, just had to make some minor modifications to capture the post-auth cookies and nsp. Nagios was sending three consecutive set-cookie headers but with the first two being the previous unauthorized cookie value. Here's an image of local validation, I went with actually sending a payload rather than a version check so that if folks want to test with a WAF in front, the WAF should catch it first

[ritikchaddha]

Hello @k0pak4, Thank you for updating the template with the required request, we are working on validating these templates.

Also, could you help us with the reference of the Nagios XI docker image or setup of the vulnerable version?

[k0pak4]

@ritikchaddha Sure thing, the easiest way is to use the official OVA from Nagios: https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.7.5-64.ova . After it loads up, just visit the IP in a browser to finish the install. I used default user/pass of nagiosadmin/nagiosadmin. After you accept the license agreement, it should be good to test against. If you have any questions let me know!

[k0pak4]

@ritikchaddha just a heads up that additional versions are vulnerable to this. I went and found the earliest version vulnerable and updated the descriptions/names to reflect this (5.5.6 to 5.7.5).

[k0pak4]

@ritikchaddha @DhiyaneshGeek let me know if there's anything else you guys need to help validate. I wrote much more detailed installation instructions in the MSF documentation: https://github.com/rapid7/metasploit-framework/pull/17494/files#diff-58c6b6a15eb27fca20227b1449709c7b5db5e394974dc4082e9934adb13a6fd2 which might help

[ritikchaddha]

Hello @k0pak4, Thanks for the additional information, we are working on validating these templates.

[ritikchaddha]

Thank you @k0pak4 for sharing these templates, Your efforts are greatly appreciated.
I've updated all of the template requests and their matchers; could you have a look at the changes and let us know if they seem good and work for you?

[k0pak4]

Thank you @k0pak4 for sharing these templates, Your efforts are greatly appreciated. I've updated all of the template requests and their matchers; could you have a look at the changes and let us know if they seem good and work for you?

@ritikchaddha I found very small issues with not URL encoding the closing ; and needing a closing %22 in CVE-2021-25297 which is needed in some of the versions. It looks good to me, see here:

[ritikchaddha]

Hello @k0pak4, Thanks for the changes, look good to me 👍 . It is ready to merge now.