CVE-2020-5791
published 2020-10-20CVE-2020-5791: Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system…
PriorityP269high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
78.63%
99.5th percentile
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | — | — |
| nagios | nagios_xi | 5.6.0 – 5.7.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP requests to /nagiosxi/admin/mibs.php with query parameters mode=undo-processing and type=1, especially when the 'file' parameter contains shell metacharacters (e.g., semicolons, backticks, pipe characters, or encoded equivalents). ↗
- →Alert on creation of unexpected PHP files under /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/, which is the webshell drop location used in the PoC. ↗
- →Monitor for outbound reverse shell connections initiated by the apache/www-data process, particularly bash spawning TCP connections via /dev/tcp. ↗
- →Detect HTTP GET requests to newly created webshell paths such as scooby.php or snmplog.php under the autodiscovery/jobs/ directory, especially with a 'cmd' query parameter. ↗
- →For CVE-2020-5792 (chained attack), detect requests to /nagiosxi/includes/components/nxti/index.php with mode=customTrap and custom-community values containing -d and -L flags, which are used to write arbitrary files via snmptrap argument injection. ↗
- →Monitor for the nxti_import.php script being invoked with unsanitized file arguments, as this is the direct exec() sink for the command injection. ↗
- ·Exploitation requires authentication as a Nagios XI admin user; unauthenticated exploitation is only possible when chained with the CSRF vulnerability CVE-2020-5790 via a phishing link sent to an authenticated admin. ↗
- ·The injected commands execute as the 'apache' or 'www-data' user (not root); the exact user depends on the NagiosXI version and underlying OS. ↗
- ·The vulnerable code path is only triggered when 'type' equals MIB_UPLOAD_PROCESS_ONLY (value 1); other type values exit early and are not exploitable via this vector. ↗
- ·The mibs.php endpoint lacks CSRF protection (check_nagios_session_protector() is not called), enabling unauthenticated chaining via social engineering. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated)
exploitdb·2020-10-28·CVSS 7.2
CVE-2020-5791 [HIGH] Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated)
Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated)
---
# Exploit Title: Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated)
# Date: 10-27-2020
# Vulnerability Discovery: Chris Lyne
# Vulnerability Details: https://www.tenable.com/security/research/tra-2020-58
# Exploit Author: Matthew Aberegg
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/
# Software Link: https://www.nagios.com/downloads/nagios-xi/
# Version: Nagios XI 5.7.3
# Tested on: Ubuntu 20.04
# CVE: CVE-2020-5791
#!/usr/bin/python3
import re
import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(In
Metasploit
Nagios XI Scanner
metasploit
Nagios XI Scanner
Nagios XI Scanner
The module detects the version of Nagios XI applications and suggests matching exploit modules based on the version number. Since Nagios XI applications only reveal the version to authenticated users, valid credentials for a Nagios XI account are required. Alternatively, it is possible to provide a specific Nagios XI version number via the `VERSION` option. In that case, the module simply suggests matching exploit modules and does not probe the target(s).
Metasploit
Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection
metasploit·CVSS 7.2
CVE-2020-5791 [HIGH] Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection
Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection
This module exploits CVE-2020-5791, an OS command injection vulnerability in `admin/mibs.php` that enables an authenticated user with admin privileges to achieve remote code execution as either the `apache` user or the `www-data` user on NagiosXI version 5.6.0 to 5.7.3 inclusive (exact user depends on the version of NagiosXI installed as well as the OS its installed on). Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios XI 5.7.3 running on CentOS 7.
http://packetstormsecurity.com/files/159743/Nagios-XI-5.7.3-Remote-Command-Injection.htmlhttp://packetstormsecurity.com/files/162235/Nagios-XI-5.7.3-Remote-Code-Execution.htmlhttps://www.tenable.com/security/research/tra-2020-58http://packetstormsecurity.com/files/159743/Nagios-XI-5.7.3-Remote-Command-Injection.htmlhttp://packetstormsecurity.com/files/162235/Nagios-XI-5.7.3-Remote-Code-Execution.htmlhttps://www.tenable.com/security/research/tra-2020-58
2020-10-20
Published