Full Report
This post is part 2 of a chain of bugs that lead to getting code execution. In part 1, a SSRF and line feed injection bug in a query language were found. However, the LQL injection is blind. In SQL, a strategy to get around this limitation is using conditionals and sleeping when a condition is met. In LQL, this can be done via the WaitObject, WaitCondition and WaitTimeout headers. Using this, it is possible to use the blind injection to retrieve arbitrary data. Although, this data is not very sensitive. LQL contains a COMMAND option, which allows for Nagios External Commands. Even though this sounds promising, many of the sensitive commands were disabled for security reasons in Nagios already. However, they found the command PROCESS_FILE. Issuing this command directs Nagios to read the file, execute each line of the file and exits. If the second parameter of the command is non-zero, it will delete the file being processed. This gives us an arbitrary file deletion primitive. How does is this primitive useful for us? It's all context dependent. Am authentication cookie contains the SHA256 hash of a username, session id, serial number and the secret of the server. This secret is stored in the file auth.secret. When performing authentication if the secret is not known, it will reload the file with 256 random characters. This is where things get WILD! There is another application that uses the auth.secret file: NagVis. This is done in a seamless fashion by verifying the session cookie but doesn't do any proper validation on whether the file is empty or not but the main process does. So, here's the attack: Use the arbitrary file deletion to delete the secret storage file. Get the main process to create the file BUT not save the secret. This leaves the secret empty. Use the other PHP component to use the empty file in this small time window. This attempt takes a few tries but eventually works. Since we can generate our own cookies now, we have created a complete auth bypass. Pretty neat!
Analysis Summary
# Vulnerability: Chained Exploitation Leading to NagVis Authentication Bypass via Arbitrary File Deletion
## CVE Details
- CVE ID: Not explicitly assigned in this summary of Part 2, but it's part of a chain impacting Checkmk. (The chain ultimately leads to RCE).
- CVSS Score: N/A (Severity implied high due to RCE chain)
- CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - related to LQL injection), CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - related to PROCESS_FILE misuse).
## Affected Systems
- Products: Checkmk (Open Source Edition), NagVis integration.
- Versions: Versions prior to 2.1.0p12.
- Configurations: Vulnerability exploited via chaining an SSRF/Line Feed Injection in LQL (Part 1) to gain arbitrary LQL query capability.
## Vulnerability Description
This vulnerability summary focuses on the second step of a malicious chain: leveraging a **blind Line Feed Injection (LFI) in the LQL query language** (achieved via previous vulnerabilities) to achieve arbitrary file deletion, which then enables an authentication bypass in the integrated NagVis component.
1. **Blind LQL Injection & Data Exfiltration:** The LFI vulnerability allows forgery of LQL queries, but responses cannot be read directly. Time-based techniques using LQL's `WaitObject`, `WaitCondition`, and `WaitTimeout` headers allow for blind data exfiltration (e.g., monitoring data).
2. **Arbitrary File Deletion Primitive:** The LQL `COMMAND` option, specifically `PROCESS_FILE`, is leveraged. This command tells Nagios to read, execute line-by-line, and then exit. If the second parameter is non-zero, the file being processed is deleted. This grants an attacker the ability to delete arbitrary files.
3. **NagVis Authentication Bypass:** The server's authentication cookie contains a SHA256 hash utilizing a secret stored in `auth.secret`. If this secret is missing upon authentication attempt, the main process reloads the file with 256 random characters.
The attacker uses the arbitrary **file deletion primitive** (`PROCESS_FILE`) to delete `auth.secret`. They then trigger an authentication attempt in a specific timing window using a second request, causing the main process to recreate the file but fail to write the secret before the NagVis PHP component reads it while it is **empty**. This grants the attacker the ability to forge valid session cookies, completing an authentication bypass.
## Exploitation
- Status: Proof of concept targeting the chaining mechanism described; not reported as mass exploited in the wild prior to disclosure.
- Complexity: High (Requires chaining multiple distinct vulnerabilities, precise timing for the race condition, and deep knowledge of interconnected application logic).
- Attack Vector: Network (Remote, Unauthenticated initially).
## Impact
- Confidentiality: High (Exfiltration of monitoring data initially, followed by complete session hijacking).
- Integrity: Critical (Full control over the application via authenticated session).
- Availability: Low (The file deletion/overwrite process could temporarily affect service availability, but the primary impact is hijacking).
## Remediation
### Patches
- Patch available: Checkmk version **2.1.0p12** (Released September 15, 2022).
### Workarounds
- No specific temporary workarounds were detailed, as the fix is comprehensive. Defense-in-depth implementation in the Checkmk GUI (which prevents the secret from being empty) mitigated this specific race condition in that application, highlighting the need for consistent security across integrated components.
## Detection
- **Indicators of Compromise (IoCs):** Look for unusual LQL query headers (`Wait*`) used in conjunction with forged session cookies or logins following periods of file system activity concerning `/auth.secret`.
- **Detection Methods and Tools:** Monitoring LQL requests for unusual header usage associated with time-based attacks.
## References
- Vendor Advisory: Checkmk team confirmed issues on 2022-08-23.
- Sonar Source Blog (Article 2): hxxps://blog[.]sonarsource[.]com/checkmk-rce-chain-2/