lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADSYzsv62RDhODvtRZSACnv=8J0s7Q9CiaZxqf8nqPEY4=tJPw@mail.gmail.com> Date: Thu, 15 Dec 2016 07:14:06 -0200 From: Dawid Golunski <dawid@...alhackers.com> To: bugtraq@...urityfocus.com Subject: Nagios Core < 4.2.2 Curl Command Injection leading to Remote Code Execution [CVE-2016-9565] Vulnerability: Nagios Core < 4.2.2 Curl Command Injection leading to Remote Code Execution CVE-2016-9565 Discovered by: Dawid Golunski (@dawid_golunski) https://legalhackers.com Severity: High Nagios Core comes with a PHP/CGI front-end which allows to view status of the monitored hosts. This front-end contained a Command Injection vulnerability in a RSS feed reader class that loads (via insecure clear-text HTTP or HTTPS accepting self-signed certificates) the latest Nagios news from a remote RSS feed (located on the vendor's server on the Internet) upon log-in to the Nagios front-end. The vulnerability could potentially enable remote unauthenticated attackers who managed to impersonate the feed server (via DNS poisoning, domain hijacking, ARP spoofing etc.), to provide a malicious response that injects parameters to curl command used by the affected RSS client class and effectively read/write arbitrary files on the vulnerable Nagios server. This could lead to Remote Code Execution in the context of www-data/nagios user on default Nagios installs that follow the official setup guidelines. The full advisory and a PoC exploit can be found at: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html Attackers who have successfully exploited this vulnerability and achieved code execution with 'nagios' group privileges, could escalate their privileges to root system account via another Nagios vulnerability (CVE-2016-9566) described at: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html For updates, follow: https://twitter.com/dawid_golunski -- Regards, Dawid Golunski https://legalhackers.com t: @dawid_golunski
Powered by blists - more mailing lists