This exploit leverages the CVE-2024-24401 and CVE-2024-24402 vulnerabilities in Nagios XI to fully compromise the system and gain total remote control. The monitoringwizard.php component of Nagios XI version 2024R1.01 is vulnerable to a critical SQL Injection, identified as CVE-2024-24401. Initially, the exploit targets this component, performing an SQL Injection to extract the administrator key (admin key). Before proceeding, it authenticates using an existing user, regardless of their privilege level, ensuring access to the system for subsequent stages. With the administrator key obtained, a new administrator user is created, along with an identity associated with this user, using the newly generated credentials. This identity enables reauthentication and the ability to perform elevated actions. Subsequently, the exploit executes arbitrary commands on the system using the privileges of the newly created administrator. Next, it installs an agent and escalates its privileges to root, exploiting the CVE-2024-24402 vulnerability. During this process, the exploit manages the npcd service binary: first, the original service is stopped, and a backup of the npcd binary is created in the /usr/local/nagios/bin/ directory as npcd.backup. Then, the agent binary is copied to the same directory under the name npcd, replacing the original binary. Finally, the npcd service is restarted to execute the agent. These steps result in a full system compromise, granting the attacker total remote control and the ability to execute arbitrary actions with root privileges.
CVE Link
Exploit Platform
Exploit Type
Product Name