Bug#366682: CVE-2006-2162: Buffer overflow in nagios

Thu, 11 May 2006 15:12:29 -0700 

severity 366682 important
severity 366683 important
thanks

Hi,

the Ubuntu guys already found out that Apache 2 doesn't accept 
requests with negative content length and I just checked that Apache 
1.3 doesn't either. I guess this makes this a quite low impact 
vulnerability.

> as reported to us in the bts, the debian nagios packages are
> vulnerable to arbitrary code execution via not properly checking
> the Content-Length header from client requests.
> in unstable both the 1.x and 2.x trees have had updates from
> upstream. i've just finished putting the changes into svn, but i
> haven't prepared an upload yet because i haven't been able to
> find/craft an exploit just yet, and i'm in one of those "low on
> time" modes where it's possible i may have messed something up.
>
> so, i could use help with the following two things:

> - crafting a simple "user-agent" that can illustrate the
> vulnerability by sending a negative or 0 value for content length
> to a nagios cgi (it doesn't have to actually inject any shell code
> or anything, just PoC would be fine by me).

I think it works like this:

$ export REQUEST_METHOD=POST
$ export CONTENT_LENGTH=-2
$ /usr/lib/cgi-bin/nagios2/status.cgi
getcgivars(): Could not allocate memory for CGI input.

This is fixed by the following part of the 2.2 to 2.3 diff:

diff -burN nagios-2.2/cgi/getcgi.c nagios-2.3/cgi/getcgi.c
--- nagios-2.2/cgi/getcgi.c     2004-11-06 06:44:12.000000000 +0100
+++ nagios-2.3/cgi/getcgi.c     2006-04-12 21:17:23.000000000 +0200
@@ -169,6 +169,8 @@
                        printf("getcgivars(): No Content-Length was 
sent with the POST request.\n") ;
                        exit(1);
                        }
+               if(content_length<0)
+                       content_length=0;
                if(!(cgiinput=(char *)malloc(content_length+1))){
                        printf("getcgivars(): Could not allocate 
memory for CGI input.\n");
                        exit(1);


This prevents negative parameters to be passed to malloc. I don't know 
what malloc does with a negative size parameter. Maybe this can 
corrupt something?

Hope this helps.

Cheers,
Stefan



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to