CVE-2019-16278
📋 TL;DR
CVE-2019-16278 is a directory traversal vulnerability in nostromo nhttpd web server that allows attackers to escape the document root and execute arbitrary commands via crafted HTTP requests. This enables remote code execution with the privileges of the web server process. All systems running nostromo nhttpd version 1.9.6 and earlier are affected.
💻 Affected Systems
- nostromo nhttpd
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges if nhttpd runs as root, leading to complete data loss, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution with web server user privileges, allowing file system access, data exfiltration, and further exploitation of the host.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place, though initial compromise still possible.
🎯 Exploit Status
Multiple public exploits available with simple HTTP requests. Exploitation requires no authentication and is trivial to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.7 or later
Vendor Advisory: http://www.nazgul.ch/dev/nostromo_cl.txt
Restart Required: Yes
Instructions:
1. Download latest version from http://www.nazgul.ch/dev/nostromo-1.9.7.tar.gz
2. Stop nhttpd service
3. Backup configuration files
4. Install new version
5. Restart nhttpd service
🔧 Temporary Workarounds
Network Access Control
linuxBlock external access to nostromo nhttpd ports (default 8080)
iptables -A INPUT -p tcp --dport 8080 -j DROP
Service Disablement
linuxTemporarily disable nostromo nhttpd service until patched
systemctl stop nostromo
systemctl disable nostromo
🧯 If You Can't Patch
- Implement strict network segmentation to isolate nostromo servers
- Deploy web application firewall (WAF) rules to block directory traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check if nostromo version is 1.9.6 or earlier: 'nostromo -v' or examine running processCheck Version:
nostromo -v 2>&1 | head -1Verify Fix Applied:
Confirm version is 1.9.7 or later: 'nostromo -v' and test with known exploit payloads📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' patterns
- Unusual process execution from nhttpd user
- Failed directory traversal attempts in access logs
Network Indicators:
- HTTP requests with encoded directory traversal sequences
- Unusual outbound connections from nhttpd process
SIEM Query:
source="nostromo.log" AND "../" OR "%2e%2e%2f"🔗 References
- http://packetstormsecurity.com/files/155045/Nostromo-1.9.6-Directory-Traversal-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html
- http://www.nazgul.ch/dev/nostromo_cl.txt
- https://git.sp0re.sh/sp0re/Nhttpd-exploits
- https://sp0re.sh
- http://packetstormsecurity.com/files/155045/Nostromo-1.9.6-Directory-Traversal-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html
- http://www.nazgul.ch/dev/nostromo_cl.txt
- https://git.sp0re.sh/sp0re/Nhttpd-exploits
- https://sp0re.sh
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-16278
