Date: Tue, 20 Dec 2016 17:12:58 -0200 From: Dawid Golunski <dawid@...alhackers.com> To: oss-security@...ts.openwall.com Subject: Nagios Core < 4.2.2 Curl Command Injection leading to Remote Code Execution [CVE-2016-9565] Vulnerability: Nagios Core < 4.2.2 Curl Command Injection / Remote Code Execution CVE-2016-9565 Discovered by: Dawid Golunski (@dawid_golunski) https://legalhackers.com Severity: High Nagios Core comes with a PHP/CGI front-end which allows to view status of the monitored hosts. This front-end contained a Command Injection vulnerability in a RSS feed reader class that loads (via insecure clear-text HTTP or HTTPS accepting self-signed certificates) the latest Nagios news from a remote RSS feed (located on the vendor's server on the Internet) upon log-in to the Nagios front-end. The vulnerability could potentially enable remote unauthenticated attackers who managed to impersonate the feed server (via DNS poisoning, domain hijacking etc.), to provide a malicious response that injects parameters to curl command used by the affected RSS client class and effectively read/write arbitrary files on the vulnerable Nagios server. This could lead to Remote Code Execution in the context of www-data/nagios user on default Nagios installs that follow the official setup guidelines. The full up-to-date advisory and a PoC exploit can be found at: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html A copy of the current advisory has also been attached to this message. Video PoC: https://legalhackers.com/videos/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html Attackers who have successfully exploited this vulnerability and achieved code execution with 'nagios' group privileges, could escalate their privileges to root system account via another Nagios vulnerability (CVE-2016-9566) described at: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html For updates, follow: https://twitter.com/dawid_golunski -- Regards, Dawid Golunski https://legalhackers.com t: @dawid_golunski View attachment "Nagios-Command-Injection.txt" of type "text/plain" (21761 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.