sean finney wrote: > hey security team and nagios team, > > as reported to us in the bts, the debian nagios packages are vulnerable > to arbitrary code execution via not properly checking the Content-Length > header from client requests. > > here are the affected versions afaict: > > stable: > > nagios-mysql 2:1.3-cvs.20050402-2.sarge.1 > nagios-text 2:1.3-cvs.20050402-2.sarge.1 > nagios-pgsql 2:1.3-cvs.20050402-2.sarge.1 > > unstable: > > nagios-mysql 2:1.3-cvs.20050402-13 > nagios-text 2:1.3-cvs.20050402-13 > nagios-pgsql 2:1.3-cvs.20050402-13 > nagios2 2.2-1 > > in unstable both the 1.x and 2.x trees have had updates from upstream. > i've just finished putting the changes into svn, but i haven't prepared > an upload yet because i haven't been able to find/craft an exploit > just yet, and i'm in one of those "low on time" modes where it's > possible i may have messed something up. > > so, i could use help with the following two things: > > - crafting a simple "user-agent" that can illustrate the vulnerability > by sending a negative or 0 value for content length to a nagios cgi > (it doesn't have to actually inject any shell code or anything, just > PoC would be fine by me).
Why user-agent? "All" you need to do is add some variables, so that the Content-Length is either exactly INT_MAX or even larger, both cause an integer overrun, which cause a negative malloc() which cause a situation in which the attacker may control some memory they shouldn't. I'm attaching a patch that ought to fix the problem. Please note that upstream doesn't check for content length == INT_MAX but blindly adds 1. Regards, Joey -- Still can't talk about what I can't talk about. Sorry. -- Bruce Schneier Please always Cc to me when replying to me on the lists.
diff -u nagios-1.3-cvs.20050402/debian/patches/00list nagios-1.3-cvs.20050402/debian/patches/00list --- nagios-1.3-cvs.20050402/debian/patches/00list +++ nagios-1.3-cvs.20050402/debian/patches/00list @@ -12,0 +13 @@ +99999_CVE-2006-2162.dpatch diff -u nagios-1.3-cvs.20050402/debian/changelog nagios-1.3-cvs.20050402/debian/changelog --- nagios-1.3-cvs.20050402/debian/changelog +++ nagios-1.3-cvs.20050402/debian/changelog @@ -1,3 +1,11 @@ +nagios (2:1.3-cvs.20050402-2.sarge.2) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Add overflow protection for Content-Length [cgi/getcgi.c, + debian/patches/99999_CVE-2006-2162.dpatch] + + -- Martin Schulze <[EMAIL PROTECTED]> Thu, 11 May 2006 17:34:58 +0200 + nagios (2:1.3-cvs.20050402-2.sarge.1) unstable; urgency=high * Sean Finney: only in patch2: unchanged: --- nagios-1.3-cvs.20050402.orig/debian/patches/99999_CVE-2006-2162.dpatch +++ nagios-1.3-cvs.20050402/debian/patches/99999_CVE-2006-2162.dpatch @@ -0,0 +1,28 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 10_grouplist.cgi-pathfixes.dpatch by <[EMAIL PROTECTED]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: prevent integer overflow + [EMAIL PROTECTED]@ +--- nagios-1.3-cvs.20050402/cgi/getcgi.c~ 2006-05-11 17:43:35.000000000 +0200 ++++ nagios-1.3-cvs.20050402/cgi/getcgi.c 2006-05-11 17:43:00.000000000 +0200 +@@ -9,6 +9,7 @@ + #include "../common/config.h" + #include <stdio.h> + #include <stdlib.h> ++#include <limits.h> + #include "getcgi.h" + + +@@ -166,6 +167,10 @@ char **getcgivars(void){ + printf("getcgivars(): No Content-Length was sent with the POST request.\n") ; + exit(1); + } ++ if((content_length<0) || (content_length >= INT_MAX-1)){ ++ printf("getcgivars(): Suspicious Content-Length was sent with the POST request.\n"); ++ exit(1); ++ } + if(!(cgiinput=(char *)malloc(content_length+1))){ + printf("getcgivars(): Could not allocate memory for CGI input.\n"); + exit(1);
signature.asc
Description: Digital signature