[Pkg-nagios-devel] Bug#366683: Bug#366682: CVE-2006-2162: Buffer
overflow in nagios
Stefan Fritsch
sf at sfritsch.de
Thu May 11 21:46:21 UTC 2006
severity 366682 important
severity 366683 important
thanks
Hi,
the Ubuntu guys already found out that Apache 2 doesn't accept
requests with negative content length and I just checked that Apache
1.3 doesn't either. I guess this makes this a quite low impact
vulnerability.
> as reported to us in the bts, the debian nagios packages are
> vulnerable to arbitrary code execution via not properly checking
> the Content-Length header from client requests.
> in unstable both the 1.x and 2.x trees have had updates from
> upstream. i've just finished putting the changes into svn, but i
> haven't prepared an upload yet because i haven't been able to
> find/craft an exploit just yet, and i'm in one of those "low on
> time" modes where it's possible i may have messed something up.
>
> so, i could use help with the following two things:
> - crafting a simple "user-agent" that can illustrate the
> vulnerability by sending a negative or 0 value for content length
> to a nagios cgi (it doesn't have to actually inject any shell code
> or anything, just PoC would be fine by me).
I think it works like this:
$ export REQUEST_METHOD=POST
$ export CONTENT_LENGTH=-2
$ /usr/lib/cgi-bin/nagios2/status.cgi
getcgivars(): Could not allocate memory for CGI input.
This is fixed by the following part of the 2.2 to 2.3 diff:
diff -burN nagios-2.2/cgi/getcgi.c nagios-2.3/cgi/getcgi.c
--- nagios-2.2/cgi/getcgi.c 2004-11-06 06:44:12.000000000 +0100
+++ nagios-2.3/cgi/getcgi.c 2006-04-12 21:17:23.000000000 +0200
@@ -169,6 +169,8 @@
printf("getcgivars(): No Content-Length was
sent with the POST request.\n") ;
exit(1);
}
+ if(content_length<0)
+ content_length=0;
if(!(cgiinput=(char *)malloc(content_length+1))){
printf("getcgivars(): Could not allocate
memory for CGI input.\n");
exit(1);
This prevents negative parameters to be passed to malloc. I don't know
what malloc does with a negative size parameter. Maybe this can
corrupt something?
Hope this helps.
Cheers,
Stefan
More information about the Pkg-nagios-devel
mailing list