lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 15 Dec 2016 07:13:06 -0200
From: Dawid Golunski <dawid@...alhackers.com>
To: fulldisclosure@...lists.org
Subject: [FD] Nagios Core < 4.2.2 Curl Command Injection leading to Remote
 Code Execution [CVE-2016-9565]

Vulnerability:
Nagios Core < 4.2.2  Curl Command Injection leading to Remote Code Execution

CVE-2016-9565

Discovered by: Dawid Golunski (@dawid_golunski)
https://legalhackers.com

Severity: High

Nagios Core comes with a PHP/CGI front-end which allows to view status
of the monitored hosts.
This front-end contained a Command Injection vulnerability in a RSS feed reader
class that loads (via insecure clear-text HTTP or HTTPS accepting self-signed
certificates) the latest Nagios news from a remote RSS feed (located on the
vendor's server on the Internet) upon log-in to the Nagios front-end.
The vulnerability could potentially enable remote unauthenticated attackers who
 managed to impersonate the feed server (via DNS poisoning, domain hijacking,
ARP spoofing etc.), to provide a malicious response that injects parameters to
curl command used by the affected RSS client class and effectively
read/write arbitrary files on the vulnerable Nagios server.
This could lead to Remote Code Execution in the context of www-data/nagios user
on default Nagios installs that follow the official setup guidelines.

The full advisory and a PoC exploit can be found at:

https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html

Attackers who have successfully exploited this vulnerability and achieved code
execution with 'nagios' group privileges, could escalate their
privileges to root
system account via another Nagios vulnerability (CVE-2016-9566) described at:

https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html

For updates, follow:

https://twitter.com/dawid_golunski


-- 
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists