CVE-2012-6096
published 2013-01-22CVE-2012-6096: Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before…
PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.45%
99.2th percentile
Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| icinga | icinga | — | — |
| icinga | icinga | — | — |
| icinga | icinga | — | — |
| icinga | icinga | — | — |
| icinga | icinga | — | — |
| icinga | icinga | — | — |
| icinga | icinga | — | — |
| icinga | icinga | — | — |
| icinga | icinga | — | — |
| icinga | icinga | — | — |
| nagios | nagios | <= 3.4.3 | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
| nagios | nagios | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
31c031db31c951b10651b10151b10251 89e1b301b066cd8089c231c031c95151 68badc0ded6668b0efb102665189e7b3 1053575289e1b303b066cd8031c939c1 740631c0b001cd8031c0b03f89d3cd80 31c0b03f89d3b101cd8031c0b03f89d3 b102cd8031c031d250686e2f7368682f 2f626989e3505389e1b00bcd8031c0b0 01cd80
- →Monitor HTTP GET requests to history.cgi with an oversized 'host' parameter (exceeding normal hostname length) — this is the primary exploitation vector for the stack-based buffer overflow. ↗
- →Detect exploitation attempts by looking for base64-encoded ELF payloads in the 'host' GET parameter of requests to history.cgi, often followed by pipe to base64 -d and tee to /tmp. ↗
- →Detect use of ${IFS} in the 'host' CGI parameter as a space-bypass technique used by exploits targeting this vulnerability. ↗
- →Alert on HTTP Basic Authentication headers combined with requests to history.cgi containing abnormally long 'host' query parameters (offsets 0xc37–0xc43 bytes) followed by ROP chain bytes. ↗
- →The exploit requires at least one ALERT entry to be present in the Nagios history page; check for probing GET requests to history.cgi without a host parameter as reconnaissance. ↗
- ·The ROP-based exploit targets specific Nagios binary builds; the hardcoded addresses (unescape, popret, hostbuf, system@PLT) are only valid for the listed target packages and will not work against binaries compiled with ASLR/PIE. ↗
- ·On distros with SSP and FORTIFY_SOURCE enabled (e.g., Red Hat/CentOS), the overflow is not believed to be exploitable for RCE and would result only in denial of service to the sending user. ↗
- ·Payload space is constrained to 200 bytes due to a system() parameter length limitation; the payload is base64-encoded to avoid bad characters. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Nagios3 - 'history.cgi' Host Command Execution (Metasploit)
exploitdb·2013-01-16
CVE-2012-6096 Nagios3 - 'history.cgi' Host Command Execution (Metasploit)
Nagios3 - 'history.cgi' Host Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
class Metasploit3 'Nagios3 history.cgi Host Command Execution',
'Description' => %q{
This module abuses a command injection vulnerability in the
Nagios3 history.cgi script.
},
'Author' => [
'Unknown ', # Original finding
'blasty ', # First working exploit
'Jose Selvi ', # Metasploit module
'Daniele Martini ' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-6096' ],
[ 'OSVDB', '88322' ],
[ 'BID', '56879' ],
[ 'EDB', '24084' ],
Exploit-DB
Nagios3 - 'history.cgi' Remote Command Execution
exploitdb·2013-01-13·CVSS 7.5
CVE-2012-6096 [HIGH] Nagios3 - 'history.cgi' Remote Command Execution
Nagios3 - 'history.cgi' Remote Command Execution
---
#!/usr/bin/python
#
# CVE-2012-6096 - Nagios history.cgi Remote Command Execution
# ===========================================================
# Another year, another reincarnation of classic and trivial
# bugs to exploit. This time we attack Nagios.. or more
# specifically, one of its CGI scripts. [1]
#
# The Nagios code is an amazing monster. It reminds me a
# lot of some of my early experiments in C, back when I
# still had no clue what I was doing. (Ok, fair enough,
# I still don't, heheh.)
#
# Ok, I'll come clean. This exploit doesn't exactly
# defeat FORTIFY. This approach is likely to work just FINE
# on other crippled distro's though, think of stuff like
# ArchLinux, Slackware, and all those Gentoo kids twiddling
# their CFLAG
Metasploit
Nagios3 history.cgi Host Command Execution
metasploit
Nagios3 history.cgi Host Command Execution
Nagios3 history.cgi Host Command Execution
This module abuses a command injection vulnerability in the Nagios3 history.cgi script.
Bugzilla
CVE-2012-6096 nagios: stack-based buffer overflow in history.cgi [epel-6]
bugzilla·2013-01-09·CVSS 7.5
CVE-2012-6096 [HIGH] CVE-2012-6096 nagios: stack-based buffer overflow in history.cgi [epel-6]
CVE-2012-6096 nagios: stack-based buffer overflow in history.cgi [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for na
Bugzilla
CVE-2012-6096 nagios: stack-based buffer overflow in history.cgi
bugzilla·2013-01-09·CVSS 7.5
CVE-2012-6096 [HIGH] CVE-2012-6096 nagios: stack-based buffer overflow in history.cgi
CVE-2012-6096 nagios: stack-based buffer overflow in history.cgi
It was reported [1] that Nagios Core's history.cgi is vulnerable to a buffer overflow because it used sprintf on user-supplied data that was not restricted in size.
Due to various protections of the operating system (history.cgi is compiled with SSP, FORTIFY_SOURCE is enabled, etc.) this is not believed to be exploitable and would result in a denial of service to the user sending the input to history.cgi.
This has been fixed in svn (r2547)[2].
[1] http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html
[2] http://nagios.svn.sourceforge.net/viewvc/nagios?view=revision&revision=2547
Discussion:
Created nagios tracking bugs for this issue
Affects: fedora-all [bug 893270]
Affects: epel-6 [bug 893271]
---
Bugzilla
CVE-2012-6096 nagios: stack-based buffer overflow in history.cgi [fedora-all]
bugzilla·2013-01-09·CVSS 7.5
CVE-2012-6096 [HIGH] CVE-2012-6096 nagios: stack-based buffer overflow in history.cgi [fedora-all]
CVE-2012-6096 nagios: stack-based buffer overflow in history.cgi [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue aff
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.htmlhttp://lists.opensuse.org/opensuse-updates/2013-01/msg00033.htmlhttp://lists.opensuse.org/opensuse-updates/2013-01/msg00060.htmlhttp://lists.opensuse.org/opensuse-updates/2013-01/msg00077.htmlhttp://lists.opensuse.org/opensuse-updates/2013-01/msg00088.htmlhttp://secunia.com/advisories/51863http://www.debian.org/security/2013/dsa-2616http://www.debian.org/security/2013/dsa-2653http://www.exploit-db.com/exploits/24084http://www.exploit-db.com/exploits/24159http://www.nagios.org/projects/nagioscore/history/core-3xhttp://www.osvdb.org/89170http://www.securityfocus.com/bid/56879https://bugzilla.redhat.com/show_bug.cgi?id=893269https://dev.icinga.org/issues/3532https://www.icinga.org/2013/01/14/icinga-1-6-2-1-7-4-1-8-4-released/http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.htmlhttp://lists.opensuse.org/opensuse-updates/2013-01/msg00033.htmlhttp://lists.opensuse.org/opensuse-updates/2013-01/msg00060.htmlhttp://lists.opensuse.org/opensuse-updates/2013-01/msg00077.htmlhttp://lists.opensuse.org/opensuse-updates/2013-01/msg00088.htmlhttp://secunia.com/advisories/51863http://www.debian.org/security/2013/dsa-2616http://www.debian.org/security/2013/dsa-2653http://www.exploit-db.com/exploits/24084http://www.exploit-db.com/exploits/24159http://www.nagios.org/projects/nagioscore/history/core-3xhttp://www.osvdb.org/89170http://www.securityfocus.com/bid/56879https://bugzilla.redhat.com/show_bug.cgi?id=893269https://dev.icinga.org/issues/3532https://www.icinga.org/2013/01/14/icinga-1-6-2-1-7-4-1-8-4-released/
2013-01-22
Published