Nostromo httpd CVE-2019-16278 – Remote Code Execution

Description

Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.

This bug is due to an incomplete fix for CVE-2011-0751. We can bypass a check for /../ which allows us to execute /bin/sh with arbitrary arguments.

Example

$ ./CVE-2019-16278.sh 127.0.0.1 8080 id
uid=1001(sp0re) gid=1001(sp0re) groups=1001(sp0re)