Nagios 3 history.cgi Command Injection

2013-01-28T00:00:00
ID SAINT:53B5A3B01719F0D0BF9287C6D0B5C6DF
Type saint
Reporter SAINT Corporation
Modified 2013-01-28T00:00:00

Description

Added: 01/28/2013
CVE: CVE-2012-6096
BID: 56879
OSVDB: 88322

Background

Nagios is a network host and service monitoring and management system.

Problem

The Nagios history.cgi script is vulnerable to a stack overflow when parsing the host parameter. This may allow an attacker to execute arbitrary code on the target system under the context of the Nagios webserver process.

Resolution

Upgrade to Nagios 3.4.4 or later.

References

<http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html>
<https://dev.icinga.org/issues/3532>
<https://www.icinga.org/2013/01/14/icinga-1-6-2-1-7-4-1-8-4-released/>

Limitations

This exploit has been tested against Nagios Enterprises Nagios 3.4.3 on CentOS 6 (Exec-Shield Enabled).
This exploit creates an executable file in /tmp/x which should be manually removed after successful exploitation. As such, this exploit also requires /tmp to be mounted without the noexec flag.
This exploit requires the base64 utility to be installed on the system.

Platforms

Linux