NSClient++ Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in NSClient++ version 0.5.2.35. This issue arises when the web interface and ExternalScripts features are both enabled. The vulnerability allows low-privileged users to read the administrative password, which is stored in plaintext in the configuration file (nsclient.ini). With this password, an attacker can authenticate to the NSClient++ web interface, access the ExternalScripts plugin, and execute arbitrary commands as the SYSTEM user by registering a custom script, saving the configuration, and triggering the script via the API.

Impact

Exploitation of this vulnerability allows local users to escalate privileges and execute commands with SYSTEM rights.

Reproduction

To reproduce this vulnerability, first ensure that NSClient++ version 0.5.2.35 is installed with the web interface and ExternalScripts features enabled. Once these conditions are met, the administrative password can be retrieved from the nsclient.ini configuration file. After obtaining the password, log into the NSClient++ web interface and enable the ExternalScripts module. Once this module is active, a script can be created to execute a command, such as opening a reverse shell, and scheduled to run at regular intervals. After saving the script and scheduling it, restart the computer to trigger the execution of the scheduled task, which will run with SYSTEM privileges.