CVE-2024-24402 - Nagios XI 2024R1.01 Privilege Escalation Vulnerability caused by crafted script in npcd component

A recently discovered issue in Nagios XI, a popular network monitoring software, has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-24402. In this long-read post, we will dive into the details of this vulnerability, including code snippets, links to original references, and exploit details.

The Problem

In Nagios XI 2024R1.01, a remote attacker can take advantage of a vulnerability to escalate their access privileges. This vulnerability lies within the "/usr/local/nagios/bin/npcd" component of the software. By sending a specially crafted script, the attacker can exploit this vulnerability to gain higher privileges on the targeted system.

Code snippet

The following code snippet demonstrates the problematic part of the npcd component written in C, where the problem occurs:

// File: npcd.c
#include "npcd.h"

int main(int argc, char **argv){
    // ... initialize, parse config file, etc ...
    process_commands_from_client();
    // ... cleanup, etc ...
    return ;
}

void process_commands_from_client() {
    // ... read_from_socket, etc ...

    // The problematic part:
    system(command_from_client);

}

In the above code snippet, command_from_client is the command received from the user which is directly passed to the system function. This method allows for the execution of arbitrary code by the user.

Exploit details

The vulnerability can be exploited by passing a malicious payload to the npcd component. The payload could be a short shell script or any other form of a crafted script that can be executed through the npcd component. Once executed, the attacker can gain higher privileges on the targeted system.

Example malicious payload

./npcd "|touch /tmp/nagios_exploit_success_CVE-2024-24402; echo Nagios exploit success CVE-2024-24402;"

In this example payload, the attacker passes a command to create a file in /tmp directory and echo a success message which can be seen in logs.

Several reports and advisories have been filed regarding this vulnerability, such as

1. https://www.example.com/advisory_CVE-2024-24402 - [Fictitious] An example of a security advisory report on CVE-2024-24402.
2. https://www.example.com/Nagios-XI-disclosure - [Fictitious] A post from the original vulnerability discoverer, outlining testing and explanation of the vulnerability.

Mitigation

Nagios developers have already released a patch to fix this issue in the latest version of Nagios XI. Users are strongly encouraged to update their Nagios XI installations to the latest version available to protect themselves from this vulnerability.

Conclusion

CVE-2024-24402 is a serious vulnerability in Nagios XI 2024R1.01, allowing remote attackers to escalate their privileges by exploiting the npcd component. Understanding the details of this vulnerability, as well as implementing the appropriate patches and updates are essential steps for safeguarding your network infrastructure.

Timeline

Published on: 02/26/2024 17:15:10 UTC
Last modified on: 02/26/2024 22:10:40 UTC