[Pkg-nagios-devel] Bug#366682: CVE-2006-2162: Buffer overflow in nagios

Stefan Fritsch sf at sfritsch.de
Fri May 12 08:43:25 UTC 2006


Hi,

On Friday 12 May 2006 01:17, sean finney wrote:
> On Thu, May 11, 2006 at 11:46:21PM +0200, Stefan Fritsch wrote:
> > the Ubuntu guys already found out that Apache 2 doesn't accept
> > requests with negative content length and I just checked that
> > Apache 1.3 doesn't either. I guess this makes this a quite low
> > impact vulnerability.
>
> what if:
>
> On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote:
> > Please note that upstream doesn't check for content length ==
> > INT_MAX
>
> i don't have a nagios install online right now (can tomorrow 
> morning) so i can't run the PoC mentioned in the BTS (thanks
> stefan), i'd be interested to see how it handles 2147483647 (or
> your arch's equivalent of INT_MAX).  if the code actually
> increments the size by one AFTER receiving the data...  then we
> should probably readjust the severities.

Yes, you are right:
Apache doesn't allow Content-Length larger than INT_MAX, but INT_MAX
is already a problem:

$ telnet localhost 8081
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
POST /cgi-bin/nagios2/status.cgi HTTP/1.0
Content-Length: 2147483647

Then top shows that there is a crashed status.cgi process:
 7698 www-data  15   0     0    0    0 Z  0.0  0.0   0:00.00 
status.cgi <defunct>

With Content-Length: 2147483648, Apache gives back "400 Bad Request" 
and doesn't call status.cgi.

I still don't know whether this is exploitable, but the patch 
suggested by Martin is obviously safer than the one implemented by 
upstream.

Cheers,
Stefan





More information about the Pkg-nagios-devel mailing list