Bug#366682: CVE-2006-2162: Buffer overflow in nagios
sean finney wrote:
hey security team and nagios team,
as reported to us in the bts, the debian nagios packages are vulnerable
to arbitrary code execution via not properly checking the Content-Length
header from client requests.
here are the affected versions afaict:
stable:
nagios-mysql 2:1.3-cvs.20050402-2.sarge.1
nagios-text 2:1.3-cvs.20050402-2.sarge.1
nagios-pgsql 2:1.3-cvs.20050402-2.sarge.1
unstable:
nagios-mysql 2:1.3-cvs.20050402-13
nagios-text 2:1.3-cvs.20050402-13
nagios-pgsql 2:1.3-cvs.20050402-13
nagios2 2.2-1
in unstable both the 1.x and 2.x trees have had updates from upstream.
i've just finished putting the changes into svn, but i haven't prepared
an upload yet because i haven't been able to find/craft an exploit
just yet, and i'm in one of those low on time modes where it's
possible i may have messed something up.
so, i could use help with the following two things:
- crafting a simple user-agent that can illustrate the vulnerability
by sending a negative or 0 value for content length to a nagios cgi
(it doesn't have to actually inject any shell code or anything, just
PoC would be fine by me).
Why user-agent? All you need to do is add some variables, so that
the Content-Length is either exactly INT_MAX or even larger, both
cause an integer overrun, which cause a negative malloc() which cause
a situation in which the attacker may control some memory they shouldn't.
I'm attaching a patch that ought to fix the problem.
Please note that upstream doesn't check for content length == INT_MAX
but blindly adds 1.
Regards,
Joey
--
Still can't talk about what I can't talk about. Sorry. -- Bruce Schneier
Please always Cc to me when replying to me on the lists.
diff -u nagios-1.3-cvs.20050402/debian/patches/00list
nagios-1.3-cvs.20050402/debian/patches/00list
--- nagios-1.3-cvs.20050402/debian/patches/00list
+++ nagios-1.3-cvs.20050402/debian/patches/00list
@@ -12,0 +13 @@
+9_CVE-2006-2162.dpatch
diff -u nagios-1.3-cvs.20050402/debian/changelog
nagios-1.3-cvs.20050402/debian/changelog
--- nagios-1.3-cvs.20050402/debian/changelog
+++ nagios-1.3-cvs.20050402/debian/changelog
@@ -1,3 +1,11 @@
+nagios (2:1.3-cvs.20050402-2.sarge.2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Add overflow protection for Content-Length [cgi/getcgi.c,
+debian/patches/9_CVE-2006-2162.dpatch]
+
+ -- Martin Schulze [EMAIL PROTECTED] Thu, 11 May 2006 17:34:58 +0200
+
nagios (2:1.3-cvs.20050402-2.sarge.1) unstable; urgency=high
* Sean Finney:
only in patch2:
unchanged:
--- nagios-1.3-cvs.20050402.orig/debian/patches/9_CVE-2006-2162.dpatch
+++ nagios-1.3-cvs.20050402/debian/patches/9_CVE-2006-2162.dpatch
@@ -0,0 +1,28 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10_grouplist.cgi-pathfixes.dpatch by [EMAIL PROTECTED]
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: prevent integer overflow
+
[EMAIL PROTECTED]@
+--- nagios-1.3-cvs.20050402/cgi/getcgi.c~ 2006-05-11 17:43:35.0
+0200
nagios-1.3-cvs.20050402/cgi/getcgi.c 2006-05-11 17:43:00.0
+0200
+@@ -9,6 +9,7 @@
+ #include ../common/config.h
+ #include stdio.h
+ #include stdlib.h
++#include limits.h
+ #include getcgi.h
+
+
+@@ -166,6 +167,10 @@ char **getcgivars(void){
+ printf(getcgivars(): No Content-Length was sent with
the POST request.\n) ;
+ exit(1);
+ }
++ if((content_length0) || (content_length = INT_MAX-1)){
++ printf(getcgivars(): Suspicious Content-Length was
sent with the POST request.\n);
++ exit(1);
++ }
+ if(!(cgiinput=(char *)malloc(content_length+1))){
+ printf(getcgivars(): Could not allocate memory for CGI
input.\n);
+ exit(1);
signature.asc
Description: Digital signature
Bug#366682: CVE-2006-2162: Buffer overflow in nagios
severity 366682 important
severity 366683 important
thanks
Hi,
the Ubuntu guys already found out that Apache 2 doesn't accept
requests with negative content length and I just checked that Apache
1.3 doesn't either. I guess this makes this a quite low impact
vulnerability.
as reported to us in the bts, the debian nagios packages are
vulnerable to arbitrary code execution via not properly checking
the Content-Length header from client requests.
in unstable both the 1.x and 2.x trees have had updates from
upstream. i've just finished putting the changes into svn, but i
haven't prepared an upload yet because i haven't been able to
find/craft an exploit just yet, and i'm in one of those low on
time modes where it's possible i may have messed something up.
so, i could use help with the following two things:
- crafting a simple user-agent that can illustrate the
vulnerability by sending a negative or 0 value for content length
to a nagios cgi (it doesn't have to actually inject any shell code
or anything, just PoC would be fine by me).
I think it works like this:
$ export REQUEST_METHOD=POST
$ export CONTENT_LENGTH=-2
$ /usr/lib/cgi-bin/nagios2/status.cgi
getcgivars(): Could not allocate memory for CGI input.
This is fixed by the following part of the 2.2 to 2.3 diff:
diff -burN nagios-2.2/cgi/getcgi.c nagios-2.3/cgi/getcgi.c
--- nagios-2.2/cgi/getcgi.c 2004-11-06 06:44:12.0 +0100
+++ nagios-2.3/cgi/getcgi.c 2006-04-12 21:17:23.0 +0200
@@ -169,6 +169,8 @@
printf(getcgivars(): No Content-Length was
sent with the POST request.\n) ;
exit(1);
}
+ if(content_length0)
+ content_length=0;
if(!(cgiinput=(char *)malloc(content_length+1))){
printf(getcgivars(): Could not allocate
memory for CGI input.\n);
exit(1);
This prevents negative parameters to be passed to malloc. I don't know
what malloc does with a negative size parameter. Maybe this can
corrupt something?
Hope this helps.
Cheers,
Stefan
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#366682: CVE-2006-2162: Buffer overflow in nagios
Hi Sean! Sean Finney wrote: On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote: - crafting a simple user-agent that can illustrate the vulnerability by sending a negative or 0 value for content length to a nagios cgi (it doesn't have to actually inject any shell code or anything, just PoC would be fine by me). Why user-agent? All you need to do is add some variables, so that as a general rule i feel much more comfortable having some kind of PoC code available that will tell me that my patch works. granted, in this case it's a rather straightforward patch, but still... the Content-Length is either exactly INT_MAX or even larger, both cause an integer overrun, which cause a negative malloc() which cause a situation in which the attacker may control some memory they shouldn't. ah yes.. good point about INT_MAX. i'll forward this upstream as well, since i don't think ethan considered this. Thanks. Please let me know the version in sid that will have this problem fixed once you know it. Regards, Joey -- It's time to close the windows. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#366682: CVE-2006-2162: Buffer overflow
Package: nagios Severity: grave Tags: security Justification: user security hole CVE-2006-2162: Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2162 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
