CVE-2020-5792
published 2020-10-20CVE-2020-5792: Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and…
PriorityP266high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
60.97%
99.0th percentile
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to /nagiosxi/includes/components/nxti/index.php with mode=customTrap and custom-community parameter containing '-d' and '-L f' flags, which indicate snmptrap argument injection for file write. ↗
- →Alert on creation of new PHP files under /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/ — this directory is the drop location for web shells written via the snmptrap argument injection. ↗
- →Detect HTTP GET requests to /nagiosxi/includes/components/autodiscovery/jobs/*.php with a query parameter used as a command (e.g., ?cmd= or ?c=), indicating web shell execution following successful exploitation. ↗
- →Look for hex-encoded PHP webshell payloads in snmptrap variablebindings values — the hex string 3c3f706870 decodes to '<?php', indicating PHP shell injection via SNMP variable bindings. ↗
- →Flag HTTP requests to /nagiosxi/includes/components/nxti/index.php where the custom-community parameter contains shell argument flags such as '-d' and '-L', as escapeshellcmd() does not prevent argument injection. ↗
- ·Exploitation requires an authenticated admin session; the vulnerability cannot be triggered by unauthenticated users directly — however, it can be chained with the CSRF vulnerability (CVE-2020-5790) to achieve unauthenticated exploitation if an admin clicks a malicious link. ↗
- ·The PHP escapeshellcmd() function used to sanitize the snmptrap command is insufficient to prevent argument injection — only escapeshellarg() applied per-argument would prevent this class of attack. ↗
- ·The Metasploit module targets Nagios XI versions 5.5.0 through 5.7.3; detections and mitigations should cover this entire version range. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Metasploit
Nagios XI 5.5.0-5.7.3 - Snmptrap Authenticated Remote Code Exection
metasploit
Nagios XI 5.5.0-5.7.3 - Snmptrap Authenticated Remote Code Exection
Nagios XI 5.5.0-5.7.3 - Snmptrap Authenticated Remote Code Exection
This module exploits an OS command injection vulnerability in includes/components/nxti/index.php that enables an authenticated user with admin privileges to achieve remote code execution as the `apache` user. The module uploads a simple PHP shell via includes/components/nxti/index.php to includes/components/autodiscovery/jobs/ and then executes the payload as the `apache` user via an HTTP GET request to includes/components/autodiscovery/jobs/?= Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios XI 5.7.3 running on CentOS 7.
Metasploit
Nagios XI Scanner
metasploit
Nagios XI Scanner
Nagios XI Scanner
The module detects the version of Nagios XI applications and suggests matching exploit modules based on the version number. Since Nagios XI applications only reveal the version to authenticated users, valid credentials for a Nagios XI account are required. Alternatively, it is possible to provide a specific Nagios XI version number via the `VERSION` option. In that case, the module simply suggests matching exploit modules and does not probe the target(s).
2020-10-20
Published