Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 8 Dec 2008 15:16:07 +0300
From: Eygene Ryabinkin <rea-sec@...elabs.ru>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org
Subject: Re: CVE Request (nagios)

Andreas,

Mon, Dec 08, 2008 at 01:00:18PM +0100, Andreas Ericsson wrote:
> Eygene Ryabinkin wrote:
> > As you see, the wrong arguments were passed to the cmd_submitf for the
> > service comments -- argument 'service_desc' will be treated as integer
> > and argument 'presistent_comment' (that is essentially a boolean that is
> > simulated via 'int' type) will be treated as the pointer to a string.
> > SEGV is likely here.
> > 
> 
> Ah, right. Yes, that's true. however, it's not a vulnerability as it's
> doing read-only access, and it can't cause DoS as it's only the CGI
> that's affected.

It surely will cause SEGV:
-----
$ cat test.c
#include <stdio.h>

int main(void)
{
        char buffer[1024];
        int persistent_comment = 1;
        char *current_time = "time";
        char *host_name = "host name";
        char *service_desc = "service";
        char *comment_author = "author";
        char *comment_data = "comment";

        snprintf(buffer, sizeof(buffer),
            "%s;%s;%d;%s;%s", current_time, host_name, service_desc,
            persistent_comment, comment_author, comment_data);
        return 0;
}
$ gcc -o test test.c
$ ./test
Segmentation fault: 11 (core dumped)
-----

Since CGI's could dump core and core dump starvates both disk and CPU,
then DoS for the HTTP server that hosts Nagios is still foreseeable.
But I tend to agree that this issue is of much lower interest then the
cmg.cgi's one ;))  So, probably, no CVE is really needed until someone
will show how this thing can be exploited.  Remember sudo's "just one
byte" overflow (http://packetstormsecurity.org/0211-exploits/hudo.c)?
-- 
Eygene

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.