ID CVE-2012-6096
Summary Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable.
References
Vulnerable Configurations
  • Nagios 3.4.3
    cpe:2.3:a:nagios:nagios:3.4.3
  • Nagios 3.4.2
    cpe:2.3:a:nagios:nagios:3.4.2
  • Nagios 3.4.1
    cpe:2.3:a:nagios:nagios:3.4.1
  • Nagios 3.4.0
    cpe:2.3:a:nagios:nagios:3.4.0
  • Nagios 3.3.1
    cpe:2.3:a:nagios:nagios:3.3.1
  • Nagios 3.2.3
    cpe:2.3:a:nagios:nagios:3.2.3
  • Nagios 3.2.2
    cpe:2.3:a:nagios:nagios:3.2.2
  • Nagios 3.2.1
    cpe:2.3:a:nagios:nagios:3.2.1
  • Nagios 3.2.0
    cpe:2.3:a:nagios:nagios:3.2.0
  • Nagios 3.1.2
    cpe:2.3:a:nagios:nagios:3.1.2
  • Nagios 3.1.1
    cpe:2.3:a:nagios:nagios:3.1.1
  • Nagios 3.1.0
    cpe:2.3:a:nagios:nagios:3.1.0
  • Nagios 3.0.6
    cpe:2.3:a:nagios:nagios:3.0.6
  • Nagios 3.0.5
    cpe:2.3:a:nagios:nagios:3.0.5
  • Nagios 3.0.4
    cpe:2.3:a:nagios:nagios:3.0.4
  • Nagios 3.0.3
    cpe:2.3:a:nagios:nagios:3.0.3
  • Nagios 3.0.2
    cpe:2.3:a:nagios:nagios:3.0.2
  • Nagios 3.0.1
    cpe:2.3:a:nagios:nagios:3.0.1
  • Nagios 3.0
    cpe:2.3:a:nagios:nagios:3.0
  • Nagios 3.0 release candidate 3
    cpe:2.3:a:nagios:nagios:3.0:rc3
  • Nagios 3.0.release candidate 2
    cpe:2.3:a:nagios:nagios:3.0:rc2
  • Nagios 3.0 release candidate 1
    cpe:2.3:a:nagios:nagios:3.0:rc1
  • Nagios 3.0 beta7
    cpe:2.3:a:nagios:nagios:3.0:beta7
  • Nagios 3.0 beta6
    cpe:2.3:a:nagios:nagios:3.0:beta6
  • Nagios 3.0 beta5
    cpe:2.3:a:nagios:nagios:3.0:beta5
  • Nagios 3.0 beta4
    cpe:2.3:a:nagios:nagios:3.0:beta4
  • Nagios 3.0 beta3
    cpe:2.3:a:nagios:nagios:3.0:beta3
  • Nagios 3.0 beta2
    cpe:2.3:a:nagios:nagios:3.0:beta2
  • Nagios 3.0 beta1
    cpe:2.3:a:nagios:nagios:3.0:beta1
  • Nagios 3.0 alpha5
    cpe:2.3:a:nagios:nagios:3.0:alpha5
  • Nagios 3.0 alpha4
    cpe:2.3:a:nagios:nagios:3.0:alpha4
  • Nagios 3.0 alpha3
    cpe:2.3:a:nagios:nagios:3.0:alpha3
  • Nagios 3.0 alpha2
    cpe:2.3:a:nagios:nagios:3.0:alpha2
  • Nagios 3.0 alpha1
    cpe:2.3:a:nagios:nagios:3.0:alpha1
  • Icinga 1.6.1
    cpe:2.3:a:icinga:icinga:1.6.1
  • Icinga 1.6.0
    cpe:2.3:a:icinga:icinga:1.6.0
  • Icinga 1.7.3
    cpe:2.3:a:icinga:icinga:1.7.3
  • Icinga 1.7.2
    cpe:2.3:a:icinga:icinga:1.7.2
  • Icinga 1.7.1
    cpe:2.3:a:icinga:icinga:1.7.1
  • Icinga 1.7.0
    cpe:2.3:a:icinga:icinga:1.7.0
  • Icinga 1.8.3
    cpe:2.3:a:icinga:icinga:1.8.3
  • Icinga 1.8.2
    cpe:2.3:a:icinga:icinga:1.8.2
  • Icinga 1.8.1
    cpe:2.3:a:icinga:icinga:1.8.1
  • Icinga 1.8.0
    cpe:2.3:a:icinga:icinga:1.8.0
CVSS
Base: 7.5 (as of 23-01-2013 - 10:22)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description Nagios3 history.cgi Host Command Execution. CVE-2012-6096. Remote exploit for linux platform
    file exploits/linux/remote/24159.rb
    id EDB-ID:24159
    last seen 2016-02-02
    modified 2013-01-16
    platform linux
    port
    published 2013-01-16
    reporter metasploit
    source https://www.exploit-db.com/download/24159/
    title Nagios3 history.cgi Host Command Execution
    type remote
  • description Nagios history.cgi Remote Command Execution. CVE-2012-6096. Remote exploits for multiple platform
    file exploits/multiple/remote/24084.py
    id EDB-ID:24084
    last seen 2016-02-02
    modified 2013-01-13
    platform multiple
    port
    published 2013-01-13
    reporter blasty
    source https://www.exploit-db.com/download/24084/
    title Nagios history.cgi Remote Command Execution Vulnerability
    type remote
metasploit via4
description This module abuses a command injection vulnerability in the Nagios3 history.cgi script.
id MSF:EXPLOIT/UNIX/WEBAPP/NAGIOS3_HISTORY_CGI
last seen 2018-12-13
modified 2018-08-20
published 2013-01-15
reliability Great
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/nagios3_history_cgi.rb
title Nagios3 history.cgi Host Command Execution
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_NAGIOS-130211.NASL
    description This update fixes a stack overflow in nagios web interface. CVE-2012-6096 has been assigned.
    last seen 2018-09-01
    modified 2013-10-25
    plugin id 64926
    published 2013-02-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64926
    title SuSE 11.2 Security Update : nagios (SAT Patch Number 7328)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_NAGIOS-8460.NASL
    description This update fixes a stack overflow in the nagios web interface. CVE-2012-6096 has been assigned.
    last seen 2018-09-01
    modified 2013-04-22
    plugin id 64927
    published 2013-02-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64927
    title SuSE 10 Security Update : nagios (ZYPP Patch Number 8460)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_97C22A945B8B11E2B131000C299B62E1.NASL
    description full disclosure reports : history.cgi is vulnerable to a buffer overflow due to the use of sprintf with user-supplied data that has not been restricted in size.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 63470
    published 2013-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63470
    title FreeBSD : nagios -- buffer overflow in history.cgi (97c22a94-5b8b-11e2-b131-000c299b62e1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-0732.NASL
    description Update to 3.4.4; CVE-2012-6096 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 63658
    published 2013-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63658
    title Fedora 18 : nagios-3.4.4-1.fc18 (2013-0732)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2653.NASL
    description It was discovered that Icinga, a host and network monitoring system, contains several buffer overflows in the history.cgi CGI program.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 65696
    published 2013-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65696
    title Debian DSA-2653-1 : icinga - buffer overflow
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-0753.NASL
    description Update to 3.4.4; CVE-2012-6096 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 63660
    published 2013-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63660
    title Fedora 17 : nagios-3.4.4-1.fc17 (2013-0753)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2616.NASL
    description A buffer overflow problem has been found in nagios3, a host/service/network monitoring and management system. A malicious client could craft a request to history.cgi and cause application crashes.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 64439
    published 2013-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64439
    title Debian DSA-2616-1 : nagios3 - buffer overflow in CGI scripts
  • NASL family CGI abuses
    NASL id NAGIOS_CORE_344.NASL
    description The remote web server hosts a version of Nagios Core that is affected by a buffer overflow vulnerability. By sending a specially crafted request using the 'host_name' or 'svc_description' parameter to 'history.cgi', a remote attacker may be able to execute arbitrary code or trigger a denial of service condition.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 63563
    published 2013-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63563
    title Nagios Core history.cgi Multiple Parameter Buffer Overflow
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-23.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-23 (Nagios: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Nagios. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to execute arbitrary code, cause a Denial of Service condition, or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 79976
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79976
    title GLSA-201412-23 : Nagios: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-54.NASL
    description - fixed Stack based buffer overflow in web interface: bnc#797237 - CVE-2012-6096 - icinga-fix-bnc797237.patch
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 75069
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75069
    title openSUSE Security Update : icinga (openSUSE-SU-2013:0206-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-45.NASL
    description - imported upstream version 1.7.4 - bnc#797237 - core: add fix for CVE-2012-6096 - history.cgi remote command execution (Eric Stanley, Markus Frosch) #3532 - MF - core: fix embedded perl segfault #3027 - MF - core: fix duplicated events on check scheduling logic for new events (Andreas Ericsson) #2676 #2993 - MF - core: avoid duplicate events when scheduling forced host|service check (Imri Zvik) #2993 - MF - core: get rid of the instame macro usage while logging alerts and states (Andreas Ericsson) #2665 - MF - core: revamp the detection of embedded perl usage directive '# icinga: +epn' (Andreas Ericsson) #2197 - MF - core: fix whitespaces are not stripped using multiple templates ('use abc, def, ghi') #2701 - MF - core: add hint on icinga.cfg package location, and tip to read Changelog CHANGES on upgrades #2879 - MF - core: bail out early with config error if resource.cfg macros contain NULL values #2879 - MF - core: fix logical bug on icinga.cfg detection on config read #2879 - MF - core: fsync() files before fclose() (Andreas Ericsson) #2948 - MF - core: remove weird switch() statement when scanning checkresult queue (Andreas Ericsson) #2950 - MF - core: fix deleting too old check result files (Andreas Ericsson) #2951 - MF - idoutils: fix IDOUtils on PostgreSQL, recreates service objects in icinga_objects (thx Torsten Fohrer) #3166 - MF - idoutils: fix icinga mysql db creation script grants access to all dbs #2917 - MF - idoutils: fix ignoring mysql password in create_mysqldb.sh #2994 - MF - removed obsolete patches
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75020
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75020
    title openSUSE Security Update : icinga (openSUSE-SU-2013:0169-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-41.NASL
    description - avoid stack based buffer overflow in web interface (history): added nagios-history_buffer_overflow.patch - (bnc#797237) fixes CVE-2012-6096
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74997
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74997
    title openSUSE Security Update : nagios (openSUSE-SU-2013:0140-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-0752.NASL
    description Update to 3.4.4; CVE-2012-6096 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 63659
    published 2013-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63659
    title Fedora 16 : nagios-3.4.4-1.fc16 (2013-0752)
packetstorm via4
refmap via4
bid 56879
confirm
debian
  • DSA-2616
  • DSA-2653
exploit-db
  • 24084
  • 24159
fulldisc 20121209 Nagios Core 3.4.3: Stack based buffer overflow in web interface
osvdb 89170
secunia 51863
suse
  • openSUSE-SU-2013:0140
  • openSUSE-SU-2013:0169
  • openSUSE-SU-2013:0188
  • openSUSE-SU-2013:0206
saint via4
bid 56879
description Nagios 3 history.cgi Command Injection
osvdb 88322
title nagios3_history_cgi_cmd_injection
type remote
Last major update 04-06-2013 - 23:40
Published 22-01-2013 - 18:55
Back to Top