[Pkg-nagios-devel] Bug#366682: CVE-2006-2162: Buffer overflow in nagios

Sean Finney seanius at debian.org
Thu May 11 17:46:27 UTC 2006


hey joey,

On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote:
> > - crafting a simple "user-agent" that can illustrate the vulnerability
> >   by sending a negative or 0 value for content length to a nagios cgi
> >   (it doesn't have to actually inject any shell code or anything, just
> >   PoC would be fine by me).
> 
> Why user-agent?  "All" you need to do is add some variables, so that

as a general rule i feel much more comfortable having some kind of PoC
code available that will tell me that my patch works.  granted, in this
case it's a rather straightforward patch, but still...

> the Content-Length is either exactly INT_MAX or even larger, both
> cause an integer overrun, which cause a negative malloc() which cause
> a situation in which the attacker may control some memory they shouldn't.

ah yes.. good point about INT_MAX.  i'll forward this upstream as well,
since i don't think ethan considered this.


	sean

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20060511/fb09485e/attachment-0002.pgp


More information about the Pkg-nagios-devel mailing list