cbcvebase.
CVE-2016-9565
published 2016-12-15

CVE-2016-9565: MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a…

PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
22.68%
97.4th percentile
MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796.

Affected

2 ranges
VendorProductVersion rangeFixed in
nagiosnagios<= 4.2.1
nagiosnagios<= 4.2.3

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for creation of or writes to /etc/ld.so.preload by the nagios user/group, which indicates symlink-based privilege escalation chained with CVE-2016-9565.
  • Detect HTTP responses to Nagios RSS feed requests (rss-corefeed.php) that contain a Server header with PHP webshell code, as the exploit injects a backdoor via a spoofed RSS feed server response.
  • Alert on creation of PHP files (e.g. nagios-backdoor.php) in the Nagios web root directory, which is the persistence mechanism dropped by the exploit.
  • Detect outbound connections from the Nagios web server process (e.g. apache/www-data) to attacker-controlled IPs over arbitrary ports, indicative of a reverse shell spawned via the PHP backdoor.
  • Monitor requests to /nagios/rss-corefeed.php that result in outbound HTTPS/HTTP connections to unexpected external hosts, as the exploit requires DNS spoofing to redirect this feed fetch to an attacker server.
  • Detect injection of a shared library path into the Nagios external command pipe (nagios.cmd), used to bypass write restrictions on /etc/ld.so.preload.
  • ·The vulnerability exists because of an incomplete fix for CVE-2008-4796; patching to Nagios Core 4.2.2 or later is required to fully remediate.
  • ·Disabling the RSS feed components (rss-corefeed.php, rss-newsfeed.php, and the rss includes directory) eliminates the attack surface at the cost of losing the Nagios news widget functionality.
  • ·CVE-2016-9565 can be leveraged by remote attackers to gain nagios group access, which can then be chained with CVE-2016-9566 (symlink attack on log file) to escalate to root.
  • ·The /etc/ld.so.preload symlink attack stage (CVE-2016-9566) requires the attacker to already be running as the 'nagios' user or a member of the 'nagios' group, as obtained via CVE-2016-9565.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.