Nagios Core < 4.2.2 Curl Command Injection leading to Remote Code Execution
CVE-2016-9565
Discovered by: Dawid Golunski (@dawid_golunski)
https://legalhackers.com
Severity: High
Nagios Core comes with a PHP/CGI front-end which allows to view status
of the monitored hosts.
This front-end contained a Command Injection vulnerability in a RSS feed reader
class that loads (via insecure clear-text HTTP or HTTPS accepting self-signed
certificates) the latest Nagios news from a remote RSS feed (located on the
vendor's server on the Internet) upon log-in to the Nagios front-end.
The vulnerability could potentially enable remote unauthenticated attackers who
managed to impersonate the feed server (via DNS poisoning, domain hijacking,
ARP spoofing etc.), to provide a malicious response that injects parameters to
curl command used by the affected RSS client class and effectively
read/write arbitrary files on the vulnerable Nagios server.
This could lead to Remote Code Execution in the context of www-data/nagios user
on default Nagios installs that follow the official setup guidelines.
The full advisory and a PoC exploit can be found at:
https://legalhackers.com/
Attackers who have successfully exploited this vulnerability and achieved code
execution with 'nagios' group privileges, could escalate their
privileges to root
system account via another Nagios vulnerability (CVE-2016-9566) described at:
https://legalhackers.com/
For updates, follow:
https://twitter.com/dawid_
Komentarų nėra:
Rašyti komentarą