Bug#366682: CVE-2006-2162: Buffer overflow in nagios
sean finney wrote: hey security team and nagios team, as reported to us in the bts, the debian nagios packages are vulnerable to arbitrary code execution via not properly checking the Content-Length header from client requests. here are the affected versions afaict: stable: nagios-mysql 2:1.3-cvs.20050402-2.sarge.1 nagios-text 2:1.3-cvs.20050402-2.sarge.1 nagios-pgsql 2:1.3-cvs.20050402-2.sarge.1 unstable: nagios-mysql 2:1.3-cvs.20050402-13 nagios-text 2:1.3-cvs.20050402-13 nagios-pgsql 2:1.3-cvs.20050402-13 nagios2 2.2-1 in unstable both the 1.x and 2.x trees have had updates from upstream. i've just finished putting the changes into svn, but i haven't prepared an upload yet because i haven't been able to find/craft an exploit just yet, and i'm in one of those low on time modes where it's possible i may have messed something up. so, i could use help with the following two things: - crafting a simple user-agent that can illustrate the vulnerability by sending a negative or 0 value for content length to a nagios cgi (it doesn't have to actually inject any shell code or anything, just PoC would be fine by me). Why user-agent? All you need to do is add some variables, so that the Content-Length is either exactly INT_MAX or even larger, both cause an integer overrun, which cause a negative malloc() which cause a situation in which the attacker may control some memory they shouldn't. I'm attaching a patch that ought to fix the problem. Please note that upstream doesn't check for content length == INT_MAX but blindly adds 1. Regards, Joey -- Still can't talk about what I can't talk about. Sorry. -- Bruce Schneier Please always Cc to me when replying to me on the lists. diff -u nagios-1.3-cvs.20050402/debian/patches/00list nagios-1.3-cvs.20050402/debian/patches/00list --- nagios-1.3-cvs.20050402/debian/patches/00list +++ nagios-1.3-cvs.20050402/debian/patches/00list @@ -12,0 +13 @@ +9_CVE-2006-2162.dpatch diff -u nagios-1.3-cvs.20050402/debian/changelog nagios-1.3-cvs.20050402/debian/changelog --- nagios-1.3-cvs.20050402/debian/changelog +++ nagios-1.3-cvs.20050402/debian/changelog @@ -1,3 +1,11 @@ +nagios (2:1.3-cvs.20050402-2.sarge.2) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Add overflow protection for Content-Length [cgi/getcgi.c, +debian/patches/9_CVE-2006-2162.dpatch] + + -- Martin Schulze [EMAIL PROTECTED] Thu, 11 May 2006 17:34:58 +0200 + nagios (2:1.3-cvs.20050402-2.sarge.1) unstable; urgency=high * Sean Finney: only in patch2: unchanged: --- nagios-1.3-cvs.20050402.orig/debian/patches/9_CVE-2006-2162.dpatch +++ nagios-1.3-cvs.20050402/debian/patches/9_CVE-2006-2162.dpatch @@ -0,0 +1,28 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 10_grouplist.cgi-pathfixes.dpatch by [EMAIL PROTECTED] +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: prevent integer overflow + [EMAIL PROTECTED]@ +--- nagios-1.3-cvs.20050402/cgi/getcgi.c~ 2006-05-11 17:43:35.0 +0200 nagios-1.3-cvs.20050402/cgi/getcgi.c 2006-05-11 17:43:00.0 +0200 +@@ -9,6 +9,7 @@ + #include ../common/config.h + #include stdio.h + #include stdlib.h ++#include limits.h + #include getcgi.h + + +@@ -166,6 +167,10 @@ char **getcgivars(void){ + printf(getcgivars(): No Content-Length was sent with the POST request.\n) ; + exit(1); + } ++ if((content_length0) || (content_length = INT_MAX-1)){ ++ printf(getcgivars(): Suspicious Content-Length was sent with the POST request.\n); ++ exit(1); ++ } + if(!(cgiinput=(char *)malloc(content_length+1))){ + printf(getcgivars(): Could not allocate memory for CGI input.\n); + exit(1); signature.asc Description: Digital signature
Bug#366682: CVE-2006-2162: Buffer overflow in nagios
severity 366682 important severity 366683 important thanks Hi, the Ubuntu guys already found out that Apache 2 doesn't accept requests with negative content length and I just checked that Apache 1.3 doesn't either. I guess this makes this a quite low impact vulnerability. as reported to us in the bts, the debian nagios packages are vulnerable to arbitrary code execution via not properly checking the Content-Length header from client requests. in unstable both the 1.x and 2.x trees have had updates from upstream. i've just finished putting the changes into svn, but i haven't prepared an upload yet because i haven't been able to find/craft an exploit just yet, and i'm in one of those low on time modes where it's possible i may have messed something up. so, i could use help with the following two things: - crafting a simple user-agent that can illustrate the vulnerability by sending a negative or 0 value for content length to a nagios cgi (it doesn't have to actually inject any shell code or anything, just PoC would be fine by me). I think it works like this: $ export REQUEST_METHOD=POST $ export CONTENT_LENGTH=-2 $ /usr/lib/cgi-bin/nagios2/status.cgi getcgivars(): Could not allocate memory for CGI input. This is fixed by the following part of the 2.2 to 2.3 diff: diff -burN nagios-2.2/cgi/getcgi.c nagios-2.3/cgi/getcgi.c --- nagios-2.2/cgi/getcgi.c 2004-11-06 06:44:12.0 +0100 +++ nagios-2.3/cgi/getcgi.c 2006-04-12 21:17:23.0 +0200 @@ -169,6 +169,8 @@ printf(getcgivars(): No Content-Length was sent with the POST request.\n) ; exit(1); } + if(content_length0) + content_length=0; if(!(cgiinput=(char *)malloc(content_length+1))){ printf(getcgivars(): Could not allocate memory for CGI input.\n); exit(1); This prevents negative parameters to be passed to malloc. I don't know what malloc does with a negative size parameter. Maybe this can corrupt something? Hope this helps. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#366682: CVE-2006-2162: Buffer overflow in nagios
Hi Sean! Sean Finney wrote: On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote: - crafting a simple user-agent that can illustrate the vulnerability by sending a negative or 0 value for content length to a nagios cgi (it doesn't have to actually inject any shell code or anything, just PoC would be fine by me). Why user-agent? All you need to do is add some variables, so that as a general rule i feel much more comfortable having some kind of PoC code available that will tell me that my patch works. granted, in this case it's a rather straightforward patch, but still... the Content-Length is either exactly INT_MAX or even larger, both cause an integer overrun, which cause a negative malloc() which cause a situation in which the attacker may control some memory they shouldn't. ah yes.. good point about INT_MAX. i'll forward this upstream as well, since i don't think ethan considered this. Thanks. Please let me know the version in sid that will have this problem fixed once you know it. Regards, Joey -- It's time to close the windows. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#366682: CVE-2006-2162: Buffer overflow
Package: nagios Severity: grave Tags: security Justification: user security hole CVE-2006-2162: Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2162 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]