CVE-2018-8736
published 2018-04-18CVE-2018-8736: A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.
PriorityP273high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
46.95%
98.7th percentile
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | >= 5.2.0 < 5.4.13 | 5.4.13 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection"; flow:established,to_server; http.uri; content:"/nagiosim.php?mode=resolve&host=|27|"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025772; rev:2; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection 2"; flow:established,to_server; http.uri; content:"/admin/helpedit.php"; fast_pattern; http.request_body; content:"selInfoKey1="; pcre:"/^[^&]+\x2527(?:UNION|SELECT)/Ri"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025775; rev:3; metadata:attack_target Server, created_at 2018_07_03, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|27|
- →Detect the DB-user-to-root pivot: monitor for POST requests to /nagiosql/admin/settings.php containing the parameter 'txtDBuser=root', which is the first step of the chained exploit. ↗
- →Detect SQLi API-key enumeration: monitor POST requests to /nagiosql/admin/helpedit.php where the body parameter 'selInfoKey1' contains a URL-encoded single-quote followed by UNION or SELECT (pattern: selInfoKey1=...%27UNION or %27SELECT).
- →Detect admin user creation via API: monitor POST requests to /nagiosxi/api/v1/system/user with parameters auth_level=admin and force_pw_change=0, authenticated with an apikey query parameter. ↗
- →Detect command injection / privilege escalation: monitor POST requests to /nagiosxi/backend/index.php with query parameters cmd=submitcommand and command=1111, which triggers execution of attacker-controlled command_data via nopasswd sudo. ↗
- →Detect privilege escalation payload: alert on writes to /usr/local/nagiosxi/scripts/reset_config_perms.sh followed by a sudo execution of that script, which is the mechanism used to achieve root. ↗
- →Track the nagiosxi session cookie across all exploit steps; a newly created session cookie appearing immediately after a POST to /nagiosxi/api/v1/system/user (admin creation) is a strong indicator of exploitation in progress. ↗
- ·The SQLi payload column name differs by Nagios XI version: versions < 5.3 use 'api_key', versions >= 5.3 use 'backend_ticket'. Detection rules targeting the SQLi body must account for both field names. ↗
- ·The exploit targets port 80 by default (RPORT 80), but the Metasploit module allows this to be changed. Network-level detections should not be restricted to port 80 alone. ↗
- ·The module uses a CmdStager with 'printf' flavor and ARCH_X86, meaning the staged payload is delivered via printf-based shell commands rather than a binary upload; file-based detections may miss the initial payload delivery. ↗
- ·The exploit resets the database user back to 'nagiosql'/'n@gweb' and deletes the added admin user after exploitation, meaning post-exploitation forensic artifacts in the DB may be minimal. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS SoftExpert Excellence Suite 2.0 SQL Injection
suricata·2018-07-05
CVE-2018-8736 ET WEB_SPECIFIC_APPS SoftExpert Excellence Suite 2.0 SQL Injection
ET WEB_SPECIFIC_APPS SoftExpert Excellence Suite 2.0 SQL Injection
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SoftExpert Excellence Suite 2.0 SQL Injection"; flow:established,to_server; http.uri; content:"/view_eletronic_download.php?class_name="; fast_pattern; content:"&cddocument="; pcre:"/^[a-z0-9A-Z]+[^&]+[\x27\x22]/Ri"; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44981/; classtype:web-application-attack; sid:2025786; rev:2; metadata:attack_target Web_Server, created_at 2018_07_05, cve CVE_2018_8736, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Publ
Suricata
ET EXPLOIT Nagios XI SQL Injection 2
suricata·2018-07-03
CVE-2018-8734 ET EXPLOIT Nagios XI SQL Injection 2
ET EXPLOIT Nagios XI SQL Injection 2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection 2"; flow:established,to_server; http.uri; content:"/admin/helpedit.php"; fast_pattern; http.request_body; content:"selInfoKey1="; pcre:"/^[^&]+\x2527(?:UNION|SELECT)/Ri"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025775; rev:3; metadata:attack_target Server, created_at 2018_07_03, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Suricata
ET EXPLOIT Nagios XI Set DB User Root
suricata·2018-07-03
CVE-2018-8734 ET EXPLOIT Nagios XI Set DB User Root
ET EXPLOIT Nagios XI Set DB User Root
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Set DB User Root"; flow:established,to_server; http.uri; content:"/admin/settings.php"; http.request_body; content:"txtRootPath="; content:"&txtBasePath="; content:"&selProtocol="; content:"&txtTempdir="; content:"&selLanguage="; content:"&txtEncoding="; content:"&txtDBserver="; content:"&txtDBport="; content:"&txtDBname="; content:"&txtDBuser=root"; fast_pattern; content:"&txtDBpass="; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025777; rev:2; metadata:attack_target Server, created_at 2018_07_03, cve CVE_2018_8734, deployment Datacenter, conf
Suricata
ET EXPLOIT Nagios XI Adding Administrative User
suricata·2018-07-03
CVE-2018-8734 ET EXPLOIT Nagios XI Adding Administrative User
ET EXPLOIT Nagios XI Adding Administrative User
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Adding Administrative User"; flow:established,to_server; http.uri; content:"/api/v1/system/user"; http.request_body; content:"username="; content:"&password="; content:"&name="; content:"&email="; content:"&auth_level=admin&force_pw_change=0"; fast_pattern; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025778; rev:2; metadata:attack_target Server, created_at 2018_07_03, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25;)
Suricata
ET EXPLOIT Nagios XI Remote Code Execution 3
suricata·2018-07-03
CVE-2018-8734 ET EXPLOIT Nagios XI Remote Code Execution 3
ET EXPLOIT Nagios XI Remote Code Execution 3
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 3"; flow:established,to_server; http.uri; content:"/index.php?cmd=submitcommand&command="; content:"&command_data=$("; fast_pattern; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025776; rev:4; metadata:attack_target Server, created_at 2018_07_03, cve CVE_2018_8734, deployment Datacenter, confidence Medium, signature_severity Critical, updated_at 2020_11_19, reviewed_at 2024_04_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Applicatio
Suricata
ET EXPLOIT Nagios XI SQL Injection
suricata·2018-07-02
CVE-2018-8734 ET EXPLOIT Nagios XI SQL Injection
ET EXPLOIT Nagios XI SQL Injection
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection"; flow:established,to_server; http.uri; content:"/nagiosim.php?mode=resolve&host=|27|"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025772; rev:2; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Suricata
ET EXPLOIT Nagios XI Remote Code Execution 2
suricata·2018-07-02
CVE-2018-8734 ET EXPLOIT Nagios XI Remote Code Execution 2
ET EXPLOIT Nagios XI Remote Code Execution 2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 2"; flow:established,to_server; http.uri; content:"/graphApi.php?host="; fast_pattern; http.uri.raw; content:"%3bsudo%20../profile/getprofile.sh%20%23"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025773; rev:3; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_8734, deployment Datacenter, confidence Medium, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Suricata
ET EXPLOIT Nagios XI Remote Code Execution
suricata·2018-07-02
CVE-2018-8734 ET EXPLOIT Nagios XI Remote Code Execution
ET EXPLOIT Nagios XI Remote Code Execution
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution"; flow:established,to_server; http.uri; content:"/ajaxhelper.php?cmd=getxicoreajax"; fast_pattern; http.uri.raw; content:"&opts=%7b%22func%22%3a%22get_hoststatus_table%22%7d"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025774; rev:2; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_8734, deployment Datacenter, confidence Medium, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_
Exploit-DB
Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)
exploitdb·2018-07-02
CVE-2018-8736 Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)
Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Nagios XI Chained Remote Code Execution',
'Description' => %q{
This module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access.
The steps are:
1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root.
2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API keys.
3. The API keys are then used to add an administrative user.
4. An authenticated session is established with the newly added user
5. Command Injection on /nagiosxi/backend/index.php allows us to execute the paylo
Exploit-DB
Nagios XI 5.2.6 < 5.2.9 / 5.3 / 5.4 - Chained Remote Root
exploitdb·2018-04-30·CVSS 9.8
CVE-2018-8736 [CRITICAL] Nagios XI 5.2.6 < 5.2.9 / 5.3 / 5.4 - Chained Remote Root
Nagios XI 5.2.6 ".format(cmdname)
end_idx = resp.find(end_delim)
resp = resp[:end_idx]
resp = resp[resp.rfind(begin_delim)+1:]
return resp
def parse_nagiosxi(resp):
resp = str(resp)
begin_delim = 'Set-Cookie: nagiosxi='
end_delim = ';'
# find the last instance of the nagiosxi cookie...
start_index = resp.rfind(begin_delim) + len(begin_delim)
resp = resp[start_index:]
end_index = resp.find(end_delim)
return resp[:end_index]
def parse_version(resp):
resp = str(resp)
begin_delim = 'name="version" value="'
end_delim = '"'
start_index = resp.rfind(begin_delim) + len(begin_delim)
resp = resp[start_index:]
end_index = resp.find(end_delim)
return resp[:end_index]
def change_db_user(usr, pwd, step):
url = '/nagiosql/admin/settings.php'
headers = {'Host' : RHOST,
'Content-Type' : 'applicat
Metasploit
Nagios XI Chained Remote Code Execution
metasploit
Nagios XI Chained Remote Code Execution
Nagios XI Chained Remote Code Execution
This module exploits an SQL injection, auth bypass, file upload, command injection, and privilege escalation in Nagios XI <= 5.2.7 to pop a root shell.
Metasploit
Nagios XI Chained Remote Code Execution
metasploit
Nagios XI Chained Remote Code Execution
Nagios XI Chained Remote Code Execution
This module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access. The steps are: 1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root. 2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API keys. 3. The API keys are then used to add an administrative user. 4. An authenticated session is established with the newly added user 5. Command Injection on /nagiosxi/backend/index.php allows us to execute the payload with nopasswd sudo, giving us a root shell. 6. Remove the added admin user and reset the database user.
No writeups or analysis indexed.
https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXThttps://blog.redactedsec.net/exploits/2018/04/26/nagios.htmlhttps://gist.github.com/caleBot/f0a93b5a98574393e0139104eacc2d0fhttps://www.exploit-db.com/exploits/44560/https://www.exploit-db.com/exploits/44969/https://www.nagios.com/downloads/nagios-xi/change-log/https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXThttps://blog.redactedsec.net/exploits/2018/04/26/nagios.htmlhttps://gist.github.com/caleBot/f0a93b5a98574393e0139104eacc2d0fhttps://www.exploit-db.com/exploits/44560/https://www.exploit-db.com/exploits/44969/https://www.nagios.com/downloads/nagios-xi/change-log/
2018-04-18
Published