cbcvebase.
CVE-2018-8736
published 2018-04-18

CVE-2018-8736: A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.

PriorityP273high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
46.95%
98.7th percentile
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi>= 5.2.0 < 5.4.135.4.13

Detection & IOCsextracted from sources · hover to see the quote

url/nagiosql/admin/settings.php
url/nagiosql/admin/helpedit.php
url/nagiosxi/api/v1/system/user
url/nagiosxi/backend/index.php
path/usr/local/nagiosxi/scripts/reset_config_perms.sh
commandcmd='submitcommand'&command='1111'
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection"; flow:established,to_server; http.uri; content:"/nagiosim.php?mode=resolve&host=|27|"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025772; rev:2; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection 2"; flow:established,to_server; http.uri; content:"/admin/helpedit.php"; fast_pattern; http.request_body; content:"selInfoKey1="; pcre:"/^[^&]+\x2527(?:UNION|SELECT)/Ri"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025775; rev:3; metadata:attack_target Server, created_at 2018_07_03, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|27|
  • Detect the DB-user-to-root pivot: monitor for POST requests to /nagiosql/admin/settings.php containing the parameter 'txtDBuser=root', which is the first step of the chained exploit.
  • Detect SQLi API-key enumeration: monitor POST requests to /nagiosql/admin/helpedit.php where the body parameter 'selInfoKey1' contains a URL-encoded single-quote followed by UNION or SELECT (pattern: selInfoKey1=...%27UNION or %27SELECT).
  • Detect admin user creation via API: monitor POST requests to /nagiosxi/api/v1/system/user with parameters auth_level=admin and force_pw_change=0, authenticated with an apikey query parameter.
  • Detect command injection / privilege escalation: monitor POST requests to /nagiosxi/backend/index.php with query parameters cmd=submitcommand and command=1111, which triggers execution of attacker-controlled command_data via nopasswd sudo.
  • Detect privilege escalation payload: alert on writes to /usr/local/nagiosxi/scripts/reset_config_perms.sh followed by a sudo execution of that script, which is the mechanism used to achieve root.
  • Track the nagiosxi session cookie across all exploit steps; a newly created session cookie appearing immediately after a POST to /nagiosxi/api/v1/system/user (admin creation) is a strong indicator of exploitation in progress.
  • ·The SQLi payload column name differs by Nagios XI version: versions < 5.3 use 'api_key', versions >= 5.3 use 'backend_ticket'. Detection rules targeting the SQLi body must account for both field names.
  • ·The exploit targets port 80 by default (RPORT 80), but the Metasploit module allows this to be changed. Network-level detections should not be restricted to port 80 alone.
  • ·The module uses a CmdStager with 'printf' flavor and ARCH_X86, meaning the staged payload is delivered via printf-based shell commands rather than a binary upload; file-based detections may miss the initial payload delivery.
  • ·The exploit resets the database user back to 'nagiosql'/'n@gweb' and deletes the added admin user after exploitation, meaning post-exploitation forensic artifacts in the DB may be minimal.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.