CVE-2020-35578
published 2021-01-13CVE-2020-35578: An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload…
PriorityP267high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
81.92%
99.6th percentile
An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | < 5.8.0 | 5.8.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /nagiosxi/admin/monitoringplugins.php where the uploaded filename field (uploadedfile) contains shell metacharacters such as semicolons, pipe characters, or base64-encoded payloads rather than a legitimate plugin filename. ↗
- →The exploit abuses the 'convert_to_unix' parameter (set to '1') in the plugin upload form to trigger line-ending conversion, which is the mishandled feature enabling command injection. Presence of this parameter alongside a suspicious filename is a strong indicator. ↗
- →The injected filename payload follows the pattern: ;echo <base64_string> | base64 -d | bash;# — detect this pattern in multipart form-data filename fields on the monitoringplugins.php endpoint. ↗
- →Successful exploitation results in command execution as the 'apache' user. Alert on unexpected outbound TCP connections (e.g., bash reverse shells) originating from the apache/www-data process on Nagios XI hosts. ↗
- →The exploit first GETs /nagiosxi/admin/monitoringplugins.php to harvest a CSRF nsp token, then immediately POSTs the malicious upload. A GET immediately followed by a POST to this endpoint from the same session is a behavioral indicator. ↗
- ·Exploitation requires valid Nagios XI admin credentials — this is an authenticated vulnerability. Detections should be scoped to authenticated sessions targeting the admin plugin upload endpoint. ↗
- ·The vulnerability affects Nagios XI versions prior to 5.8.0. The Metasploit module was confirmed tested against versions 5.3.0 and 5.7.5 on CentOS 7; detections should prioritize unpatched instances below 5.8.0. ↗
- ·The root cause is mishandling of the line-ending conversion feature during plugin upload, not a generic file upload flaw. The 'convert_to_unix' parameter must be present and set to '1' for the injection path to be triggered. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)
exploitdb·2021-01-14·CVSS 7.2
CVE-2020-35578 [HIGH] Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)
Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)
---
# Exploit Title: Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)
# Date: 19/12/2020
# Exploit Author: Haboob Team (https://haboob.sa)
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Version: Nagios XI 5.7.x
# Tested on: (Ubuntu 18.04 / PHP 7.2.24) & Vendor's custom VM
# CVE: CVE-2020-35578
#!/usr/bin/python3
# pip3 install bs4 lxml
import requests
import sys
import warnings
from bs4 import BeautifulSoup
import base64
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
if len(sys.argv) != 6:
print("[~] Usage : python3 nagiosxi-rce.py http(s)://url username password reverse_ip reverse_port")
print("[~] Example : python3 nagiosxi-rce.py https://192.168.224.139 nagios
Metasploit
Nagios XI Scanner
metasploit
Nagios XI Scanner
Nagios XI Scanner
The module detects the version of Nagios XI applications and suggests matching exploit modules based on the version number. Since Nagios XI applications only reveal the version to authenticated users, valid credentials for a Nagios XI account are required. Alternatively, it is possible to provide a specific Nagios XI version number via the `VERSION` option. In that case, the module simply suggests matching exploit modules and does not probe the target(s).
Metasploit
Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection
metasploit·CVSS 7.2
CVE-2020-35578 [HIGH] Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection
Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection
This module exploits a command injection vulnerability (CVE-2020-35578) in the `/admin/monitoringplugins.php` page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows an authenticated admin user to achieve remote code execution as the `apache` user by uploading a malicious plugin. Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios versions XI 5.3.0 and 5.7.5, both running on CentOS 7.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.htmlhttps://www.nagios.com/downloads/nagios-xi/change-log/https://www.nagios.com/products/security/http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.htmlhttps://www.nagios.com/downloads/nagios-xi/change-log/https://www.nagios.com/products/security/
2021-01-13
Published