Long-since patched security bug comes back to haunt devs

A security researcher has disclosed the existence of a remote code execution (RCE) vulnerability in the open source Nostromo web server software.

On Monday, a threat analyst and bounty hunter with the online handle Sudoka published a technical analysis of the bug, tracked as CVE-2019-16278.

The vulnerability impacts Nostromo, also known as nhttpd, a niche web server used by some in the Unix and open source community but altogether dwarfed in popularity by Apache.

In a blog post, Sudoka said the vulnerability stems from shortcomings in how the path of URLs are verified. Inadequate URL checks mean that an unauthenticated attackers is able to force a server to point to a shell file, resulting in the potential execution of arbitrary code.

Heart of darkness

A long-resolved RCE vulnerability (CVE-2011-0751), reported by RedTeam Pentesting and fixed by Nostromo developers back in March 2011, lies behind the latest security flaw.

The earlier issue, impacting versions 1.9.3 and below of the software, involved a path traversal vulnerability caused by inadequate string checks.

The vulnerability was originally patched by adding the decode of escaped characters before checking the string. However, Sudoka discovered that the path traversal bug can still be triggered through a variant of the same trick.

More precisely, in the latest case, http_verify fails to adequately prevent access to system files but a different component that actually gives access to them.

According to Sudoka, the latest vulnerability impacts all Nostromo versions, including the latest 1.9.6 release – as well as the developer’s website.

Successful exploitation of the security flaw could lead to data leaks, service disruption, the hijack of servers, and the execution of further malicious payloads.

A Shodan search revealed that roughly 2,000 web servers are currently vulnerable to potential exploitation.

Python proof

A Python-based proof of concept was published by Sudoka alongside his analysis of the bug.

The Daily Swig has reached out to the researcher for additional comment and will update this story once we receive a response.

Marcus Glocker, one of the developers of Nostromo, confirmed that software patches to address the vulnerability were already available.

“Yes, there is a patch available for CVE-2019-16278 and also for CVE-2019-16279,” Glocker told The Daily Swig. “I was waiting for feedback from the CVE creator, but I’ll commit it today night with a change log update on my homepage.”


YOU MIGHT ALSO LIKE ‘Smart’ doorbell unlocks homes to unauthorized visitors