hey security team and nagios team, as reported to us in the bts, the debian nagios packages are vulnerable to arbitrary code execution via not properly checking the Content-Length header from client requests.
here are the affected versions afaict:
stable:
nagios-mysql 2:1.3-cvs.20050402-2.sarge.1
nagios-text 2:1.3-cvs.20050402-2.sarge.1
nagios-pgsql 2:1.3-cvs.20050402-2.sarge.1
unstable:
nagios-mysql 2:1.3-cvs.20050402-13
nagios-text 2:1.3-cvs.20050402-13
nagios-pgsql 2:1.3-cvs.20050402-13
nagios2 2.2-1
in unstable both the 1.x and 2.x trees have had updates from upstream.
i've just finished putting the changes into svn, but i haven't prepared
an upload yet because i haven't been able to find/craft an exploit
just yet, and i'm in one of those "low on time" modes where it's
possible i may have messed something up.
so, i could use help with the following two things:
- crafting a simple "user-agent" that can illustrate the vulnerability
by sending a negative or 0 value for content length to a nagios cgi
(it doesn't have to actually inject any shell code or anything, just
PoC would be fine by me).
- verifying that the latest branches in svn are fixed.
if anyone could assist me with either of these, it'd be much
appreciated.
sean
--
signature.asc
Description: Digital signature
