Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Dec 2016 17:12:58 -0200
From: Dawid Golunski <>
Subject: Nagios Core < 4.2.2 Curl Command Injection leading to Remote Code
 Execution [CVE-2016-9565]

Nagios Core < 4.2.2  Curl Command Injection / Remote Code Execution


Discovered by: Dawid Golunski (@dawid_golunski)

Severity: High

Nagios Core comes with a PHP/CGI front-end which allows to view status
of the monitored hosts.
This front-end contained a Command Injection vulnerability in a RSS feed reader
class that loads (via insecure clear-text HTTP or HTTPS accepting self-signed
certificates) the latest Nagios news from a remote RSS feed (located on the
vendor's server on the Internet) upon log-in to the Nagios front-end.
The vulnerability could potentially enable remote unauthenticated attackers who
 managed to impersonate the feed server (via DNS poisoning, domain
hijacking etc.), to provide a malicious response that injects
parameters to
curl command used by the affected RSS client class and effectively
read/write arbitrary files on the vulnerable Nagios server.
This could lead to Remote Code Execution in the context of www-data/nagios user
on default Nagios installs that follow the official setup guidelines.

The full up-to-date advisory and a PoC exploit can be found at:

A copy of the current advisory has also been attached to this message.

Video PoC:

Attackers who have successfully exploited this vulnerability and achieved code
execution with 'nagios' group privileges, could escalate their
privileges to root system account via another Nagios vulnerability
(CVE-2016-9566) described at:

For updates, follow:

Dawid Golunski
t: @dawid_golunski

View attachment "Nagios-Command-Injection.txt" of type "text/plain" (21761 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ