CVE-2016-2056
published 2016-04-13CVE-2016-2056: xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the…
PriorityP273high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
54.51%
98.9th percentile
xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the adduser_name argument in (1) web/useradm.c or (2) web/chpasswd.c.
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | xymon | < xymon 4.3.25-1 (bookworm) | xymon 4.3.25-1 (bookworm) |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
| xymon | xymon | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to /xymon-seccgi/useradm.sh containing shell metacharacters (e.g. single-quote, semicolon, ampersand) in the USERNAME parameter, which is the injection vector used to escape the htpasswd system() call. ↗
- →Alert on HTTP 500 responses from /xymon-seccgi/useradm.sh following an authenticated POST — the exploit module treats a 500 response as confirmation of successful payload delivery. ↗
- →Monitor for authenticated HTTP GET requests to /xymon-seccgi/useradm.sh as a reconnaissance/version-check step prior to exploitation; the module probes this endpoint to fingerprint the Xymon version before attempting command injection. ↗
- →Flag web server processes (e.g. Apache/nginx CGI workers) spawning unexpected child processes such as shells or network utilities, as the injected command executes as the web server user via a system() call in useradm.sh. ↗
- ·Exploitation requires valid HTTP Basic Auth credentials for the Xymon web interface; unauthenticated attackers cannot reach the vulnerable endpoint. ↗
- ·The injected command executes with web server user privileges only, not root; post-exploitation privilege escalation would be a separate step. ↗
- ·The Metasploit payload has bad characters \x00, \x0A, \x0D (null byte, LF, CR) which will break injection if present in the command string; detection rules should account for URL-encoded variants. ↗
- ·The default TARGETURI is /xymon-seccgi/ but may differ across installations; detections scoped only to this path may miss non-default deployments. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2016-2056: xymon - xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated...
vendor_debian·2016·CVSS 8.8
CVE-2016-2056 [HIGH] CVE-2016-2056: xymon - xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated...
xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the adduser_name argument in (1) web/useradm.c or (2) web/chpasswd.c.
Scope: local
bookworm: resolved (fixed in 4.3.25-1)
bullseye: resolved (fixed in 4.3.25-1)
forky: resolved (fixed in 4.3.25-1)
sid: resolved (fixed in 4.3.25-1)
trixie: resolved (fixed in 4.3.25-1)
GHSA
GHSA-9xfv-r389-8vvf: xymond in Xymon 4
ghsa_unreviewed·2022-05-14
CVE-2016-2056 [HIGH] CWE-77 GHSA-9xfv-r389-8vvf: xymond in Xymon 4
xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the adduser_name argument in (1) web/useradm.c or (2) web/chpasswd.c.
OSV
CVE-2016-2056: xymond in Xymon 4
osv·2016-04-13·CVSS 8.8
CVE-2016-2056 [HIGH] CVE-2016-2056: xymond in Xymon 4
xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the adduser_name argument in (1) web/useradm.c or (2) web/chpasswd.c.
No detection rules found.
Exploit-DB
Xymon 4.3.25 - useradm Command Execution (Metasploit)
exploitdb·2019-07-12
CVE-2016-2056 Xymon 4.3.25 - useradm Command Execution (Metasploit)
Xymon 4.3.25 - useradm Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Xymon useradm Command Execution',
'Description' => %q{
This module exploits a command injection vulnerability in Xymon
versions before 4.3.25 which allows authenticated users
to execute arbitrary operating system commands as the web
server user.
When adding a new user to the system via the web interface with
`useradm.sh`, the user's username and password are passed to
`htpasswd` in a call to `system()` without validation.
This module has been tested successfully on Xymon version 4.3.10
on Debian 6.
},
'License' => MSF_LICENSE,
'Author' => [
'Markus Krell', # Discovery
Metasploit
Xymon useradm Command Execution
metasploit
Xymon useradm Command Execution
Xymon useradm Command Execution
This module exploits a command injection vulnerability in Xymon versions before 4.3.25 which allows authenticated users to execute arbitrary operating system commands as the web server user. When adding a new user to the system via the web interface with `useradm.sh`, the user's username and password are passed to `htpasswd` in a call to `system()` without validation. This module has been tested successfully on Xymon version 4.3.10 on Debian 6.
http://packetstormsecurity.com/files/135758/Xymon-4.3.x-Buffer-Overflow-Code-Execution-Information-Disclosure.htmlhttp://packetstormsecurity.com/files/153620/Xymon-useradm-Command-Execution.htmlhttp://www.debian.org/security/2016/dsa-3495http://www.securityfocus.com/archive/1/537522/100/0/threadedhttps://sourceforge.net/p/xymon/code/7892/http://packetstormsecurity.com/files/135758/Xymon-4.3.x-Buffer-Overflow-Code-Execution-Information-Disclosure.htmlhttp://packetstormsecurity.com/files/153620/Xymon-useradm-Command-Execution.htmlhttp://www.debian.org/security/2016/dsa-3495http://www.securityfocus.com/archive/1/537522/100/0/threadedhttps://sourceforge.net/p/xymon/code/7892/
2016-04-13
Published