sean finney wrote:
> hey security team and nagios team,
> 
> as reported to us in the bts, the debian nagios packages are vulnerable
> to arbitrary code execution via not properly checking the Content-Length
> header from client requests.
> 
> here are the affected versions afaict:
> 
> stable:       
> 
> nagios-mysql 2:1.3-cvs.20050402-2.sarge.1
> nagios-text 2:1.3-cvs.20050402-2.sarge.1
> nagios-pgsql 2:1.3-cvs.20050402-2.sarge.1
> 
> unstable:
> 
> nagios-mysql 2:1.3-cvs.20050402-13
> nagios-text 2:1.3-cvs.20050402-13
> nagios-pgsql 2:1.3-cvs.20050402-13
> nagios2 2.2-1
> 
> in unstable both the 1.x and 2.x trees have had updates from upstream.
> i've just finished putting the changes into svn, but i haven't prepared
> an upload yet because i haven't been able to find/craft an exploit
> just yet, and i'm in one of those "low on time" modes where it's
> possible i may have messed something up.
> 
> so, i could use help with the following two things:
> 
> - crafting a simple "user-agent" that can illustrate the vulnerability
>   by sending a negative or 0 value for content length to a nagios cgi
>   (it doesn't have to actually inject any shell code or anything, just
>   PoC would be fine by me).

Why user-agent?  "All" you need to do is add some variables, so that
the Content-Length is either exactly INT_MAX or even larger, both
cause an integer overrun, which cause a negative malloc() which cause
a situation in which the attacker may control some memory they shouldn't.

I'm attaching a patch that ought to fix the problem.

Please note that upstream doesn't check for content length == INT_MAX
but blindly adds 1.

Regards,

        Joey

-- 
Still can't talk about what I can't talk about.  Sorry.  -- Bruce Schneier

Please always Cc to me when replying to me on the lists.
diff -u nagios-1.3-cvs.20050402/debian/patches/00list 
nagios-1.3-cvs.20050402/debian/patches/00list
--- nagios-1.3-cvs.20050402/debian/patches/00list
+++ nagios-1.3-cvs.20050402/debian/patches/00list
@@ -12,0 +13 @@
+99999_CVE-2006-2162.dpatch
diff -u nagios-1.3-cvs.20050402/debian/changelog 
nagios-1.3-cvs.20050402/debian/changelog
--- nagios-1.3-cvs.20050402/debian/changelog
+++ nagios-1.3-cvs.20050402/debian/changelog
@@ -1,3 +1,11 @@
+nagios (2:1.3-cvs.20050402-2.sarge.2) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Add overflow protection for Content-Length [cgi/getcgi.c,
+    debian/patches/99999_CVE-2006-2162.dpatch]
+
+ -- Martin Schulze <[EMAIL PROTECTED]>  Thu, 11 May 2006 17:34:58 +0200
+
 nagios (2:1.3-cvs.20050402-2.sarge.1) unstable; urgency=high
 
   * Sean Finney:
only in patch2:
unchanged:
--- nagios-1.3-cvs.20050402.orig/debian/patches/99999_CVE-2006-2162.dpatch
+++ nagios-1.3-cvs.20050402/debian/patches/99999_CVE-2006-2162.dpatch
@@ -0,0 +1,28 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10_grouplist.cgi-pathfixes.dpatch by  <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: prevent integer overflow
+
[EMAIL PROTECTED]@
+--- nagios-1.3-cvs.20050402/cgi/getcgi.c~      2006-05-11 17:43:35.000000000 
+0200
++++ nagios-1.3-cvs.20050402/cgi/getcgi.c       2006-05-11 17:43:00.000000000 
+0200
+@@ -9,6 +9,7 @@
+ #include "../common/config.h"
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <limits.h>
+ #include "getcgi.h"
+ 
+ 
+@@ -166,6 +167,10 @@ char **getcgivars(void){
+                       printf("getcgivars(): No Content-Length was sent with 
the POST request.\n") ;
+                       exit(1);
+                       }
++              if((content_length<0) || (content_length >= INT_MAX-1)){
++                      printf("getcgivars(): Suspicious Content-Length was 
sent with the POST request.\n");
++                      exit(1);
++                      }
+               if(!(cgiinput=(char *)malloc(content_length+1))){
+                       printf("getcgivars(): Could not allocate memory for CGI 
input.\n");
+                       exit(1);

Attachment: signature.asc
Description: Digital signature

Reply via email to