[Pkg-nagios-devel] Bug#366682: CVE-2006-2162: Buffer overflow in nagios

[sean finney]

hey security team and nagios team,

as reported to us in the bts, the debian nagios packages are vulnerable
to arbitrary code execution via not properly checking the Content-Length
header from client requests.

here are the affected versions afaict:

stable:	

nagios-mysql 2:1.3-cvs.20050402-2.sarge.1
nagios-text 2:1.3-cvs.20050402-2.sarge.1
nagios-pgsql 2:1.3-cvs.20050402-2.sarge.1

unstable:

nagios-mysql 2:1.3-cvs.20050402-13
nagios-text 2:1.3-cvs.20050402-13
nagios-pgsql 2:1.3-cvs.20050402-13
nagios2 2.2-1

in unstable both the 1.x and 2.x trees have had updates from upstream.
i've just finished putting the changes into svn, but i haven't prepared
an upload yet because i haven't been able to find/craft an exploit
just yet, and i'm in one of those "low on time" modes where it's
possible i may have messed something up.

so, i could use help with the following two things:

- crafting a simple "user-agent" that can illustrate the vulnerability
  by sending a negative or 0 value for content length to a nagios cgi
  (it doesn't have to actually inject any shell code or anything, just
  PoC would be fine by me).
- verifying that the latest branches in svn are fixed.

if anyone could assist me with either of these, it'd be much
appreciated. 


	sean

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20060511/1d578938/attachment-0002.pgp