cbcvebase.
CVE-2019-16278
published 2019-10-14

CVE-2019-16278: Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-11-28
Exploited in the wild
EPSS
99.06%
99.9th percentile
Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.

Affected

1 ranges
VendorProductVersion rangeFixed in
nazgulnostromo_nhttpd< 1.9.71.9.7

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0
path/.%0d./.%0d./.%0d./.%0d./bin/sh
commandPOST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.1 Host: {{Hostname}} echo echo cat /etc/passwd 2>&1
path/var/nostromo
filenamenhttpd.conf
filename.htpasswd
  • Detect exploitation attempts by inspecting HTTP POST requests containing the URL-encoded carriage-return traversal sequence `/.%0d./.%0d./.%0d./.%0d./bin/sh` in the request URI targeting nostromo nhttpd.
  • Alert on HTTP responses from servers advertising `nostromo` in the Server header with a version of 1.9.6 or earlier, as these are confirmed vulnerable.
  • The exploit payload uses `%0d` (URL-encoded carriage return `\r`) as the directory traversal separator instead of the standard `../`, allowing bypass of path normalization checks in `http_verify`.
  • Monitor for POST requests to paths matching the pattern `/.%0d./` repeated multiple times, which is the canonical traversal pattern for this CVE.
  • On affected hosts, monitor access to `/var/nostromo/conf/nhttpd.conf` and `.htpasswd` files, which attackers enumerate post-exploitation to escalate privileges.
  • ·The vulnerability only affects non-chrooted nhttpd deployments; chrooted configurations limit the impact of the directory traversal.
  • ·The HOMEDIRS configuration in nhttpd.conf may expose user home subdirectories (e.g., `public_www`) even when the parent home directory is not world-readable, widening the attack surface.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.