Nagios 3 history.cgi Command Injection

2013-01-2800:00:00

SAINT Corporation

download.saintcorporation.com

129

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.968 High

EPSS

Percentile

99.6%

JSON

Added: 01/28/2013
CVE: CVE-2012-6096
BID: 56879
OSVDB: 88322

Background

Nagios is a network host and service monitoring and management system.

Problem

The Nagios history.cgi script is vulnerable to a stack overflow when parsing the host parameter. This may allow an attacker to execute arbitrary code on the target system under the context of the Nagios webserver process.

Resolution

Upgrade to Nagios 3.4.4 or later.

References

<http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html>
<https://dev.icinga.org/issues/3532>
<https://www.icinga.org/2013/01/14/icinga-1-6-2-1-7-4-1-8-4-released/>

Limitations

This exploit has been tested against Nagios Enterprises Nagios 3.4.3 on CentOS 6 (Exec-Shield Enabled).
This exploit creates an executable file in /tmp/x which should be manually removed after successful exploitation. As such, this exploit also requires /tmp to be mounted without the noexec flag.
This exploit requires the base64 utility to be installed on the system.