CVE-2009-2288
published 2009-07-01CVE-2009-2288: statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute…
PriorityP278high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
83.45%
99.6th percentile
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios | <= 3.1.0 | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to statuswml.cgi containing shell metacharacters (semicolon, ampersand) in the 'ping' or 'traceroute' parameters, which indicate command injection attempts. ↗
- →Monitor HTTP responses from statuswml.cgi for the string 'Invalid host name' — its absence after a crafted ping request may indicate a vulnerable (unpatched) server. ↗
- →Alert on HTTP Basic Authorization headers sent to statuswml.cgi via POST, especially combined with a 'ping' parameter value beginning with a semicolon. ↗
- →Flag GET requests to statuswml.cgi where the 'ping' parameter contains URL-encoded shell metacharacters such as %3B (semicolon). ↗
- ·Exploitation requires that access to the WAP interface's ping feature is enabled/allowed; environments with this feature disabled are not directly exploitable via this vector. ↗
- ·The exploit uses HTTP Basic Authentication; valid credentials (default: guest/guest in the Metasploit module) are required for the attack to reach the vulnerable code path. ↗
- ·The payload bad characters are '<' and '>', meaning payloads containing these characters will not function correctly through this injection vector. ↗
- ·Only Nagios versions prior to 3.1.1 are vulnerable; patched servers return 'Invalid host name' in the response body when the injection is attempted. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Nagios vulnerability
vendor_ubuntu·2009-07-02
CVE-2009-2288 Nagios vulnerability
Title: Nagios vulnerability
Summary: Nagios vulnerability
It was discovered that Nagios did not properly parse certain commands
submitted using the WAP web interface. An authenticated user could exploit
this flaw and execute arbitrary programs on the server.
Instructions: After a standard system upgrade you need to restart Nagios to effect
the necessary changes.
Red Hat
nagios: remote code execution via statuswml.cgi CGI script
vendor_redhat·2009-06-18·CVSS 7.5
CVE-2009-2288 [HIGH] nagios: remote code execution via statuswml.cgi CGI script
nagios: remote code execution via statuswml.cgi CGI script
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters.
GHSA
GHSA-3j95-hrrj-gfw8: statuswml
ghsa_unreviewed·2022-05-02
CVE-2009-2288 [HIGH] CWE-78 GHSA-3j95-hrrj-gfw8: statuswml
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters.
VulnCheck
Nagios nagios Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2009·CVSS 7.5
CVE-2009-2288 [HIGH] Nagios nagios Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Nagios nagios Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters.
Affected: Nagios nagios
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware
No detection rules found.
Exploit-DB
Nagios3 - 'statuswml.cgi' 'Ping' Command Execution (Metasploit)
exploitdb·2010-07-14
CVE-2009-2288 Nagios3 - 'statuswml.cgi' 'Ping' Command Execution (Metasploit)
Nagios3 - 'statuswml.cgi' 'Ping' Command Execution (Metasploit)
---
##
# $Id: nagios3_statuswml_ping.rb 9829 2010-07-14 18:23:47Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Nagios3 statuswml.cgi Ping Command Execution',
'Description' => %q{
This module abuses a metacharacter injection vulnerability in the
Nagios3 statuswml.cgi script. This flaw is triggered when shell
metacharacters are present in the parameters to the ping and
traceroute commands.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9829
Exploit-DB
Nagios3 - 'statuswml.cgi' Command Injection (Metasploit)
exploitdb·2009-10-30
CVE-2009-2288 Nagios3 - 'statuswml.cgi' Command Injection (Metasploit)
Nagios3 - 'statuswml.cgi' Command Injection (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Nagios3 statuswml.cgi Ping Command Execution',
'Description' => %q{
This module abuses a metacharacter injection vulnerability in the
Nagios3 statuswml.cgi script. This flaw is triggered when shell
metacharacters are present in the parameters to the ping and
traceroute commands.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2009-2288' ],
[ 'OSVDB', '55281'],
],
Exploit-DB
Nagios 3.0.6 - 'statuswml.cgi' Arbitrary Shell Command Injection
exploitdb·2009-05-22
CVE-2009-2288 Nagios 3.0.6 - 'statuswml.cgi' Arbitrary Shell Command Injection
Nagios 3.0.6 - 'statuswml.cgi' Arbitrary Shell Command Injection
---
source: https://www.securityfocus.com/bid/35464/info
Nagios is prone to a remote command-injection vulnerability because it fails to adequately sanitize user-supplied input data.
Remote attackers can exploit this issue to execute arbitrary shell commands with the privileges of the user running the application.
NOTE: For an exploit to succeed, access to the WAP interface's ping feature must be allowed.
Versions prior to Nagios 3.1.1 are vulnerable.
The following example URI is available:
https://www.example.com/nagios/cgi-bin/statuswml.cgi?ping=173.45.235.65%3Becho+%24PATH
Metasploit
Nagios3 statuswml.cgi Ping Command Execution
metasploit
Nagios3 statuswml.cgi Ping Command Execution
Nagios3 statuswml.cgi Ping Command Execution
This module abuses a metacharacter injection vulnerability in the Nagios3 statuswml.cgi script. This flaw is triggered when shell metacharacters are present in the parameters to the ping and traceroute commands.
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Bugzilla
CVE-2009-2288 nagios: remote code execution via statuswml.cgi CGI script
bugzilla·2009-06-29·CVSS 7.5
CVE-2009-2288 [HIGH] CVE-2009-2288 nagios: remote code execution via statuswml.cgi CGI script
CVE-2009-2288 nagios: remote code execution via statuswml.cgi CGI script
A remote shell code injection flaw was found in statuswml.cgi script in nagios. A remote attacker able to access nagios web pages (usually protected by HTTP authentication) can run arbitrary commands with CGI script's (i.e. web server) privileges.
Upstream bug with additional details:
http://tracker.nagios.org/view.php?id=15
Upstream commit:
http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/cgi/statuswml.c?r1=1.27&r2=1.28
Upstream test case:
http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/t/617statuswml.t
Discussion:
Access control defaults for nagios packages:
Fedora:
- By default, access to nagios web pages is only allowed for localhost.
- Additionally, access to pages is protected by HTTP authent
http://marc.info/?l=bugtraq&m=126996888626964&w=2http://secunia.com/advisories/35543http://secunia.com/advisories/35688http://secunia.com/advisories/35692http://secunia.com/advisories/39227http://security.gentoo.org/glsa/glsa-200907-15.xmlhttp://tracker.nagios.org/view.php?id=15http://www.debian.org/security/2009/dsa-1825http://www.nagios.org/development/history/core-3x/http://www.securitytracker.com/id?1022503http://www.ubuntu.com/usn/USN-795-1http://www.vupen.com/english/advisories/2010/0750http://marc.info/?l=bugtraq&m=126996888626964&w=2http://secunia.com/advisories/35543http://secunia.com/advisories/35688http://secunia.com/advisories/35692http://secunia.com/advisories/39227http://security.gentoo.org/glsa/glsa-200907-15.xmlhttp://tracker.nagios.org/view.php?id=15http://www.debian.org/security/2009/dsa-1825http://www.nagios.org/development/history/core-3x/http://www.securitytracker.com/id?1022503http://www.ubuntu.com/usn/USN-795-1http://www.vupen.com/english/advisories/2010/0750
2009-07-01
Published
Exploited in the wild