Hi, On Friday 12 May 2006 01:17, sean finney wrote: > On Thu, May 11, 2006 at 11:46:21PM +0200, Stefan Fritsch wrote: > > the Ubuntu guys already found out that Apache 2 doesn't accept > > requests with negative content length and I just checked that > > Apache 1.3 doesn't either. I guess this makes this a quite low > > impact vulnerability. > > what if: > > On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote: > > Please note that upstream doesn't check for content length == > > INT_MAX > > i don't have a nagios install online right now (can tomorrow > morning) so i can't run the PoC mentioned in the BTS (thanks > stefan), i'd be interested to see how it handles 2147483647 (or > your arch's equivalent of INT_MAX). if the code actually > increments the size by one AFTER receiving the data... then we > should probably readjust the severities.
Yes, you are right: Apache doesn't allow Content-Length larger than INT_MAX, but INT_MAX is already a problem: $ telnet localhost 8081 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. POST /cgi-bin/nagios2/status.cgi HTTP/1.0 Content-Length: 2147483647 Then top shows that there is a crashed status.cgi process: 7698 www-data 15 0 0 0 0 Z 0.0 0.0 0:00.00 status.cgi <defunct> With Content-Length: 2147483648, Apache gives back "400 Bad Request" and doesn't call status.cgi. I still don't know whether this is exploitable, but the patch suggested by Martin is obviously safer than the one implemented by upstream. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
