{"uuid": "b0ea7789-01ed-472e-a000-0517cbac5dab", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2020-28902", "type": "published-proof-of-concept", "source": "https://t.me/ptswarm/42", "content": "\"13 Nagios Vulnerabilities, #7 will SHOCK you!\" by Samir Ghanem\n\nGaining access to Nagios XI server results in upstream compromise of management server,  i.e. every other customer monitored. Exploitation facilitated with soygun tool.\n\nContents:\n \u2022 TL;DR\n \u2022 Why Nagios?\n \u2022 What is Nagios?\n \u2022 The Code\n \u2022 Challenge Accepted\n \u2022 What are we trying to achieve?\n \u2022 Step 1: RCE on Nagios XI server from low privilege Nagios XI user (CVE-2020-28648)\n \u2022 Step 2: Elevate privileges to \u2018root\u2019 on Nagios XI server (CVE-2020-28910)\n \u2022 Step 3: Trigger XSS by tainting data returned to Nagios Fusion from XI (CVE-2020-28903)\n \u2022 Step 4: Authenticated remote code execution on Nagios Fusion (CVE-2020-28905)\n \u2022 Step 5: Elevate privileges from apache to root using the \u2018cmd_subsys.php\u2019 (CVE-2020-28902)\n \u2022 Step 6: Get list of \u201cfused\u201d XI servers and exploit them using Step 1 and 2\n \u2022 PoC or Attack Platform\n \u2022 SoyGun\n \u2022 Command & Control (C2)\n \u2022 SoyGun Implant\n \u2022 DeadDrop\n \u2022 Demo\n \u2022 Disclosure and Afterthoughts\n \u2022 Full Vulnerabilities List\n\nhttps://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you/", "creation_timestamp": "2021-05-27T17:17:10.000000Z"}