Nostromo < 1.9.7 Remote Code Execution - Nessus
Critical Plugin ID: 142137This page contains detailed information about the Nostromo < 1.9.7 Remote Code Execution Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 142137
Name: Nostromo < 1.9.7 Remote Code Execution
Filename: nostromo_nhttpd_1_9_7.nasl
Vulnerability Published: 2019-10-14
This Plugin Published: 2020-10-30
Last Modification Time: 2021-02-08
Plugin Version: 1.5
Plugin Type: remote
Plugin Family: Web Servers
Dependencies:
nostromo_nhttpd_detect.nbin
Required KB Items [?]: installed_sw/nostromo
Vulnerability Information
Severity: Critical
Vulnerability Published: 2019-10-14
Patch Published: 2019-10-14
CVE [?]: CVE-2019-16278
CPE [?]: cpe:/a:nazgul:nostromo_nhttpd
Synopsis
The remote web server is affected by a remote code execution vulnerability.
Description
According to its Server response header, the installed version of Nostromo is prior to 1.9.7. It is, therefore, affected by remote code execution vulnerability.
Solution
Upgrade to Nostromo version 1.9.7 or later.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, D2 Elliot)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the Nostromo < 1.9.7 Remote Code Execution vulnerability:
- Metasploit: exploit/multi/http/nostromo_code_exec
[Nostromo Directory Traversal Remote Command Execution] - Exploit-DB: exploits/multiple/remote/47573.rb
[EDB-47573: Nostromo - Directory Traversal Remote Command Execution (Metasploit)] - Exploit-DB: exploits/multiple/remote/47837.py
[EDB-47837: nostromo 1.9.6 - Remote Code Execution] - GitHub: https://github.com/0ps/pocassistdb
[CVE-2019-16278] - GitHub: https://github.com/3hydraking/CVE-2019-16278
[CVE-2019-16278] - GitHub: https://github.com/4n0nym0u5dk/CVE-2019-16278
[CVE-2019-16278] - GitHub: https://github.com/Mr-xn/Penetration_Testing_POC
[CVE-2019-16278] - GitHub: https://github.com/SexyBeast233/SecBooks
[CVE-2019-16278] - GitHub: https://github.com/Unam3dd/nostromo_1_9_6_rce
[CVE-2019-16278: Nostromo 1.9.6 - Remote Code Exectuion - CVE-2019-16278] - GitHub: https://github.com/YeezyTaughtMe1/Traverxec
[CVE-2019-16278] - GitHub: https://github.com/alexander-fernandes/CVE-2019-16278
[CVE-2019-16278: A quick python exploit for the Nostromo 1.9.6 remote code execution vulnerability. ...] - GitHub: https://github.com/holmes-py/King-of-the-hill
[CVE-2019-16278] - GitHub: https://github.com/jweny/pocassistdb
[CVE-2019-16278] - GitHub: https://github.com/k4u5h41/CVE-2019-16278
[CVE-2019-16278] - GitHub: https://github.com/sunnet-cyber/CVE2019_16278
[CVE-2019-16278: Script for CVE2019_16278] - GitHub: https://github.com/ugur-ercan/exploit-collection
[CVE-2019-16278] - GitHub: https://github.com/AnubisSec/CVE-2019-16278
[CVE-2019-16278: A quick python exploit for the Nostromo 1.9.6 remote code execution vulnerability. ...] - GitHub: https://github.com/darkerego/Nostromo_Python3
[CVE-2019-16278: CVE-2019-16278 Python3 Exploit Code] - GitHub: https://github.com/ianxtianxt/CVE-2019-16278
[CVE-2019-16278: CVE-2019-16278Nostromo httpd命令执行] - GitHub: https://github.com/imjdl/CVE-2019-16278-PoC
[CVE-2019-16278: CVE-2019-16728 Proof of Concept] - GitHub: https://github.com/jas502n/CVE-2019-16278
[CVE-2019-16278: Directory transversal to remote code execution] - GitHub: https://github.com/keshiba/cve-2019-16278
[CVE-2019-16278: Exploit for the CVE-2019-16278 vulnerability] - GitHub: https://github.com/Kr0ff/cve-2019-16278
[CVE-2019-16278: (Nhttpd) Nostromo 1.9.6 RCE due to Directory Traversal] - GitHub: https://github.com/NHPT/CVE-2019-16278
[CVE-2019-16278: CVE-2019-16278:Nostromo Web服务器的RCE漏洞] - GitHub: https://github.com/theRealFr13nd/CVE-2019-16278-Nostromo_1.9.6-RCE
[CVE-2019-16278: Python script to exploit RCE in Nostromo nhttpd <= 1.9.6.] - D2 Elliot: nostromo_web_server_rce.html
[Nostromo Web Server RCE]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS Score Source [?]: CVE-2019-16278
CVSS V2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C
| CVSS Base Score: | 7.5 (High) |
| Impact Subscore: | 6.4 |
| Exploitability Subscore: | 10.0 |
| CVSS Temporal Score: | 6.2 (Medium) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 6.2 (Medium) |
| CVSS Base Score: | 9.8 (Critical) |
| Impact Subscore: | 5.9 |
| Exploitability Subscore: | 3.9 |
| CVSS Temporal Score: | 9.1 (Critical) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 9.1 (Critical) |
STIG Risk Rating: High
Go back to menu.
Plugin Source
This is the nostromo_nhttpd_1_9_7.nasl nessus plugin source code. This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
##
# (C) Tenable Network Security, Inc.
##
include('compat.inc');
if (description)
{
script_id(142137);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/02/08");
script_cve_id("CVE-2019-16278");
script_xref(name:"IAVA", value:"2020-A-0498");
script_name(english:"Nostromo < 1.9.7 Remote Code Execution ");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"According to its Server response header, the installed version of
Nostromo is prior to 1.9.7. It is, therefore, affected by remote code execution
vulnerability.");
# https://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?aff750ca");
script_set_attribute(attribute:"solution", value:
"Upgrade to Nostromo version 1.9.7 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-16278");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"Nostromo Web Server RCE");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Nostromo Directory Traversal Remote Command Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/14");
script_set_attribute(attribute:"patch_publication_date", value:"2019/10/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/30");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:nazgul:nostromo_nhttpd");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("nostromo_nhttpd_detect.nbin");
script_require_keys("installed_sw/nostromo");
exit(0);
}
include('http.inc');
include('vcf.inc');
appname = 'nostromo';
port = get_http_port(default:80);
get_install_count(app_name:appname, exit_if_zero:TRUE);
app_info = vcf::get_app_info(app:appname, port: port, service:TRUE);
vcf::check_granularity(app_info:app_info, sig_segments:3);
constraints = [
{'fixed_version' : '1.9.7'}
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/nostromo_nhttpd_1_9_7.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\nostromo_nhttpd_1_9_7.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/nostromo_nhttpd_1_9_7.nasl
Go back to menu.
How to Run
Here is how to run the Nostromo < 1.9.7 Remote Code Execution as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Web Servers plugin family.
- On the right side table select Nostromo < 1.9.7 Remote Code Execution plugin ID 142137.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl nostromo_nhttpd_1_9_7.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a nostromo_nhttpd_1_9_7.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - nostromo_nhttpd_1_9_7.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state nostromo_nhttpd_1_9_7.nasl -t <IP/HOST>Go back to menu.
References
IAVA | Information Assurance Vulnerability Alert:
- 2020-A-0498
- https://www.tenable.com/plugins/nessus/142137
- http://www.nessus.org/u?aff750ca
- https://vulners.com/nessus/NOSTROMO_NHTTPD_1_9_7.NASL
- 80304 - Allegro RomPager HTTP Cookie Management Remote Code Execution Vulnerability (Misfortune Cookie)
- 80228 - Allegro RomPager HTTP Cookie Management Remote Code Execution Vulnerability (Misfortune Cookie)
- 156164 - Apache Log4Shell CVE-2021-45046 Bypass Remote Code Execution
- 148239 - Apache OFBiz Remote Code Execution (CVE-2021-26295)
- 40353 - DD-WRT HTTP Daemon Metacharacter Injection Remote Code Execution
- 146861 - Liferay Portal Remote Code Execution (direct check)
- 136770 - Apache Tomcat 7.0.0 < 7.0.104 Remote Code Execution
- 124064 - Apache Tomcat 7.0.0 < 7.0.94 Remote Code Execution Vulnerability (Windows)
- 124063 - Apache Tomcat 8.5.0 < 8.5.40 Remote Code Execution Vulnerability (Windows)
- 136807 - Apache Tomcat 8.5.x < 8.5.55 Remote Code Execution
- 124058 - Apache Tomcat 9.0.0.M1 < 9.0.19 Remote Code Execution Vulnerability (Windows)
- 136806 - Apache Tomcat 9.0.0 < 9.0.35 Remote Code Execution
- 105484 - Oracle WebLogic WSAT Remote Code Execution
- 124338 - Oracle WebLogic WLS9-async Remote Code Execution (remote check)
- 133270 - IBM WebSphere Application Server 7.0.0.x <= 7.0.0.45 / 8.0.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.15 / 9.0.0.x < 9.0.0.10 Remote Code Execution (CVE-2018-1567)
- 125630 - IBM WebSphere Application Server Virtual Enterprise 7.0.x / Network Deployment 8.5.x < 8.5.5.16 / Network Deployment 9.0.0.x <= 9.0.0.11 Remote Code Execution Vulnerability (CVE-2019-4279)
- 137398 - IBM WebSphere Application Server 7.0.0.x <= 7.0.0.45 / 8.0.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.18 / 9.0.x < 9.0.5.4 Remote Code Execution (CVE-2020-4448)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file nostromo_nhttpd_1_9_7.nasl version 1.5. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
