Issues Found on Nagios Network Analyzer 2.4.2
During the time of 2020, I was preparing for a certification called OSWE. The path has been long and with curves, because sometimes we have unforeseen events in life that make us do smarter choices, resulting in a change of objectives. With this mindset, I researched what I learned in the AWAE material and resulted in two findings against the NagiosNA application.
Nagios Network Analyzer is a network data flow analysis solution that provides organizations with a broad view of their IT infrastructure and network traffic. The network analyzer allows you to be proactive in resolving failures, aberrant behavior, and security threats before they affect critical business processes.
I would like to thank Nagios for being extremely fast and friendly with the entire reporting process!
SQL Injection in API Sources (CVE-2021–28925):
A SQL injection attack consists in manipulate SQL queries via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. With this explanation in mind, we can move on to technical details.
To be able to perform a more accurate debugging, I tried to enable the logs and the verbose mode of the environment, after that, I started the process of mapping the user inputs and soon arrived at an endpoint with very interesting parameters, which could result in a SQL Injection.
After identifying the line highlighted above, now I need to check if my feeling would take me anywhere. With that in mind, I started the process of static analysis in the file “application/views/dashboard.php”, and I concluded that after authenticating in the application, we are redirected to the dashboard, where several GET and POST requests are generated for the endpoint “/api/sources/read” with the parameters “o[col]” and “o [sort]”. Luckily for us, we managed to control the input “o[col]”, for our unluck it is necessary to be authenticated.
At that moment, I started to feel my hunter’s sense getting keener and keener on this path, so I went ahead with the process of “reverse tracking” in the parameters “o[col]” and I get as a result of this procedure the file “database_helper.php”. By reading and understanding the “do_enumerate” function, I was able to identify that I could only have a single headache, the “escape_str”. However, let’s not create panic, because I was also able to notice that the way the query was built, in theory, it would be all right if a payload with “AND” was inserted.
At this point, I finally needed to just put the pieces together and prove the theory, for that, I authenticated myself in the application using the credentials of a user without administrative privileges and immediately afterward identified the request for the endpoint “/api/checks/read” and I used the following payload for a time based blind: “+AND+(SELECT+777+FROM+(SELECT(SLEEP(15)))LURIEL_STOLABS)” on “o[col]” parameter.
When sending the request to the server, it interpreted the sleep command sent and it took 15 seconds to return the response to us. In parallel to this, we can see our payload in the log files of MariaDB.
Self Cross-Site Scripting (CVE-2021–28924):
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side , to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
Self-XSS operates by tricking users into copying and pasting malicious content into their browsers. Usually, the attacker posts a message that says by copying and running certain code, the user will be able to hack another user’s account. In fact, the code allows the attacker to hijack the victim’s account.
Endpoint: /nagiosna/groups/queries/1
Payload: “><img src=”” onerror=”alert(document.cookie)”>
These were the findings during this exercise!
