[Pkg-nagios-devel] Bug#366682: CVE-2006-2162: Buffer overflow in
sf at sfritsch.de
Fri May 12 08:43:25 UTC 2006
On Friday 12 May 2006 01:17, sean finney wrote:
> On Thu, May 11, 2006 at 11:46:21PM +0200, Stefan Fritsch wrote:
> > the Ubuntu guys already found out that Apache 2 doesn't accept
> > requests with negative content length and I just checked that
> > Apache 1.3 doesn't either. I guess this makes this a quite low
> > impact vulnerability.
> what if:
> On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote:
> > Please note that upstream doesn't check for content length ==
> > INT_MAX
> i don't have a nagios install online right now (can tomorrow
> morning) so i can't run the PoC mentioned in the BTS (thanks
> stefan), i'd be interested to see how it handles 2147483647 (or
> your arch's equivalent of INT_MAX). if the code actually
> increments the size by one AFTER receiving the data... then we
> should probably readjust the severities.
Yes, you are right:
Apache doesn't allow Content-Length larger than INT_MAX, but INT_MAX
is already a problem:
$ telnet localhost 8081
Connected to localhost.
Escape character is '^]'.
POST /cgi-bin/nagios2/status.cgi HTTP/1.0
Then top shows that there is a crashed status.cgi process:
7698 www-data 15 0 0 0 0 Z 0.0 0.0 0:00.00
With Content-Length: 2147483648, Apache gives back "400 Bad Request"
and doesn't call status.cgi.
I still don't know whether this is exploitable, but the patch
suggested by Martin is obviously safer than the one implemented by
More information about the Pkg-nagios-devel