Bug#366683: CVE-2006-2162: Buffer overflow in nagios
Hi, On Friday 12 May 2006 01:17, sean finney wrote: On Thu, May 11, 2006 at 11:46:21PM +0200, Stefan Fritsch wrote: the Ubuntu guys already found out that Apache 2 doesn't accept requests with negative content length and I just checked that Apache 1.3 doesn't either. I guess this makes this a quite low impact vulnerability. what if: On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote: Please note that upstream doesn't check for content length == INT_MAX i don't have a nagios install online right now (can tomorrow morning) so i can't run the PoC mentioned in the BTS (thanks stefan), i'd be interested to see how it handles 2147483647 (or your arch's equivalent of INT_MAX). if the code actually increments the size by one AFTER receiving the data... then we should probably readjust the severities. Yes, you are right: Apache doesn't allow Content-Length larger than INT_MAX, but INT_MAX is already a problem: $ telnet localhost 8081 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. POST /cgi-bin/nagios2/status.cgi HTTP/1.0 Content-Length: 2147483647 Then top shows that there is a crashed status.cgi process: 7698 www-data 15 0 000 Z 0.0 0.0 0:00.00 status.cgi defunct With Content-Length: 2147483648, Apache gives back 400 Bad Request and doesn't call status.cgi. I still don't know whether this is exploitable, but the patch suggested by Martin is obviously safer than the one implemented by upstream. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#366683: CVE-2006-2162: Buffer overflow in nagios
On Fri, May 12, 2006 at 06:24:21AM +0200, Martin Schulze wrote: Please let me know the version in sid that will have this problem fixed once you know it. for nagios 1.x: 1.4-1 (or 2:1.4-1, since there's an epoch i guess) for nagios 2.x: 2.3-1 both are recently uploaded. i've made a diff.gz of the sarge version available at: http://people.debian.org/~seanius/nagios/nagios_1.3-cvs.20050402-2.sarge.2.diff.gz though there's no difference wrt your patch other than cosmetics and different dpatch names. also, there is a http://people.debian.org/~seanius/nagios/CVE-2006-2162.sh which is a quick PoC i threw together to test the cgi's from the cmdline. sean signature.asc Description: Digital signature
Bug#366683: CVE-2006-2162: Buffer overflow in nagios
Sean Finney wrote: On Fri, May 12, 2006 at 06:24:21AM +0200, Martin Schulze wrote: Please let me know the version in sid that will have this problem fixed once you know it. for nagios 1.x: 1.4-1 (or 2:1.4-1, since there's an epoch i guess) for nagios 2.x: 2.3-1 Noted. both are recently uploaded. i've made a diff.gz of the sarge version available at: http://people.debian.org/~seanius/nagios/nagios_1.3-cvs.20050402-2.sarge.2.diff.gz The other version is already built, though. Regards, Joey -- Linux - the choice of a GNU generation. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#366683: CVE-2006-2162: Buffer overflow in nagios
hey security team and nagios team, as reported to us in the bts, the debian nagios packages are vulnerable to arbitrary code execution via not properly checking the Content-Length header from client requests. here are the affected versions afaict: stable: nagios-mysql 2:1.3-cvs.20050402-2.sarge.1 nagios-text 2:1.3-cvs.20050402-2.sarge.1 nagios-pgsql 2:1.3-cvs.20050402-2.sarge.1 unstable: nagios-mysql 2:1.3-cvs.20050402-13 nagios-text 2:1.3-cvs.20050402-13 nagios-pgsql 2:1.3-cvs.20050402-13 nagios2 2.2-1 in unstable both the 1.x and 2.x trees have had updates from upstream. i've just finished putting the changes into svn, but i haven't prepared an upload yet because i haven't been able to find/craft an exploit just yet, and i'm in one of those low on time modes where it's possible i may have messed something up. so, i could use help with the following two things: - crafting a simple user-agent that can illustrate the vulnerability by sending a negative or 0 value for content length to a nagios cgi (it doesn't have to actually inject any shell code or anything, just PoC would be fine by me). - verifying that the latest branches in svn are fixed. if anyone could assist me with either of these, it'd be much appreciated. sean -- signature.asc Description: Digital signature
Bug#366683: CVE-2006-2162: Buffer overflow in nagios
hey joey, On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote: - crafting a simple user-agent that can illustrate the vulnerability by sending a negative or 0 value for content length to a nagios cgi (it doesn't have to actually inject any shell code or anything, just PoC would be fine by me). Why user-agent? All you need to do is add some variables, so that as a general rule i feel much more comfortable having some kind of PoC code available that will tell me that my patch works. granted, in this case it's a rather straightforward patch, but still... the Content-Length is either exactly INT_MAX or even larger, both cause an integer overrun, which cause a negative malloc() which cause a situation in which the attacker may control some memory they shouldn't. ah yes.. good point about INT_MAX. i'll forward this upstream as well, since i don't think ethan considered this. sean signature.asc Description: Digital signature
Bug#366683: CVE-2006-2162: Buffer overflow in nagios
On Thu, May 11, 2006 at 11:46:21PM +0200, Stefan Fritsch wrote: severity 366682 important severity 366683 important thanks Hi, the Ubuntu guys already found out that Apache 2 doesn't accept requests with negative content length and I just checked that Apache 1.3 doesn't either. I guess this makes this a quite low impact vulnerability. what if: On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote: Please note that upstream doesn't check for content length == INT_MAX i don't have a nagios install online right now (can tomorrow morning) so i can't run the PoC mentioned in the BTS (thanks stefan), i'd be interested to see how it handles 2147483647 (or your arch's equivalent of INT_MAX). if the code actually increments the size by one AFTER receiving the data... then we should probably readjust the severities. and by the way, i'm a bit annoyed that ubuntu managed to send off a USN on this 4 days ago, and not even bother to think hey, maybe we should mention this to the debian guys. sean signature.asc Description: Digital signature
Bug#366683: CVE-2006-2162: Buffer overflow in nagios
Package: nagios2 Severity: grave Justification: user security hole Tags: security CVE-2006-2162: Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2162 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#366683: [EMAIL PROTECTED]: [Pkg-nagios-devel] Bug#366683: CVE-2006-2162: Buffer overflow in nagios]
hi ethan, any care to comment on this? i'm really swamped right now and just spent all of last weekend fixing 4 CVE's for mysql, so i would really appreciate it if you (or someone else on the list) could forward my the relevant patch from the 1.x branch if/when it exists so we can prepare an update for the debian sarge and woody packages. sean - Forwarded message from Stefan Fritsch [EMAIL PROTECTED] - Date: Wed, 10 May 2006 13:23:59 +0200 (CEST) From: Stefan Fritsch [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Pkg-nagios-devel] Bug#366683: CVE-2006-2162: Buffer overflow in nagios Package: nagios2 Severity: grave Justification: user security hole Tags: security CVE-2006-2162: Buffer overflow in CGI scripts in Nagios 1.x before 1.4 and 2.x before 2.3 allows remote attackers to execute arbitrary code via a negative content length (Content-Length) HTTP header. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2162 ___ Pkg-nagios-devel mailing list [EMAIL PROTECTED] http://lists.alioth.debian.org/mailman/listinfo/pkg-nagios-devel - End forwarded message - -- signature.asc Description: Digital signature