sean finney wrote: > hey security team and nagios team, > > as reported to us in the bts, the debian nagios packages are vulnerable > to arbitrary code execution via not properly checking the Content-Length > header from client requests. > > here are the affected versions afaict: > > stable: > > nagios-mysql 2:1.3-cvs.20050402-2.sarge.1 > nagios-text 2:1.3-cvs.20050402-2.sarge.1 > nagios-pgsql 2:1.3-cvs.20050402-2.sarge.1 > > unstable: > > nagios-mysql 2:1.3-cvs.20050402-13 > nagios-text 2:1.3-cvs.20050402-13 > nagios-pgsql 2:1.3-cvs.20050402-13 > nagios2 2.2-1 > > in unstable both the 1.x and 2.x trees have had updates from upstream. > i've just finished putting the changes into svn, but i haven't prepared > an upload yet because i haven't been able to find/craft an exploit > just yet, and i'm in one of those "low on time" modes where it's > possible i may have messed something up. > > so, i could use help with the following two things: > > - crafting a simple "user-agent" that can illustrate the vulnerability > by sending a negative or 0 value for content length to a nagios cgi > (it doesn't have to actually inject any shell code or anything, just > PoC would be fine by me).
Why user-agent? "All" you need to do is add some variables, so that
the Content-Length is either exactly INT_MAX or even larger, both
cause an integer overrun, which cause a negative malloc() which cause
a situation in which the attacker may control some memory they shouldn't.
I'm attaching a patch that ought to fix the problem.
Please note that upstream doesn't check for content length == INT_MAX
but blindly adds 1.
Regards,
Joey
--
Still can't talk about what I can't talk about. Sorry. -- Bruce Schneier
Please always Cc to me when replying to me on the lists.
diff -u nagios-1.3-cvs.20050402/debian/patches/00list
nagios-1.3-cvs.20050402/debian/patches/00list
--- nagios-1.3-cvs.20050402/debian/patches/00list
+++ nagios-1.3-cvs.20050402/debian/patches/00list
@@ -12,0 +13 @@
+99999_CVE-2006-2162.dpatch
diff -u nagios-1.3-cvs.20050402/debian/changelog
nagios-1.3-cvs.20050402/debian/changelog
--- nagios-1.3-cvs.20050402/debian/changelog
+++ nagios-1.3-cvs.20050402/debian/changelog
@@ -1,3 +1,11 @@
+nagios (2:1.3-cvs.20050402-2.sarge.2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Add overflow protection for Content-Length [cgi/getcgi.c,
+ debian/patches/99999_CVE-2006-2162.dpatch]
+
+ -- Martin Schulze <[EMAIL PROTECTED]> Thu, 11 May 2006 17:34:58 +0200
+
nagios (2:1.3-cvs.20050402-2.sarge.1) unstable; urgency=high
* Sean Finney:
only in patch2:
unchanged:
--- nagios-1.3-cvs.20050402.orig/debian/patches/99999_CVE-2006-2162.dpatch
+++ nagios-1.3-cvs.20050402/debian/patches/99999_CVE-2006-2162.dpatch
@@ -0,0 +1,28 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10_grouplist.cgi-pathfixes.dpatch by <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: prevent integer overflow
+
[EMAIL PROTECTED]@
+--- nagios-1.3-cvs.20050402/cgi/getcgi.c~ 2006-05-11 17:43:35.000000000
+0200
++++ nagios-1.3-cvs.20050402/cgi/getcgi.c 2006-05-11 17:43:00.000000000
+0200
+@@ -9,6 +9,7 @@
+ #include "../common/config.h"
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <limits.h>
+ #include "getcgi.h"
+
+
+@@ -166,6 +167,10 @@ char **getcgivars(void){
+ printf("getcgivars(): No Content-Length was sent with
the POST request.\n") ;
+ exit(1);
+ }
++ if((content_length<0) || (content_length >= INT_MAX-1)){
++ printf("getcgivars(): Suspicious Content-Length was
sent with the POST request.\n");
++ exit(1);
++ }
+ if(!(cgiinput=(char *)malloc(content_length+1))){
+ printf("getcgivars(): Could not allocate memory for CGI
input.\n");
+ exit(1);
signature.asc
Description: Digital signature
