[seanius at debian.org: Re: CVE-2006-2162: Buffer overflow in nagios]

Ethan Galstad nagios at nagios.org
Thu May 11 21:17:14 CEST 2006

Previous message: [seanius at debian.org: Re: CVE-2006-2162: Buffer overflow in nagios]
Next message: [seanius at debian.org: Re: CVE-2006-2162: Buffer overflow in nagios]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If the packet is greater than INT_MAX in size, then yes, the integer 
would probably overflow and result in a negative size. The patch to the 
Nagios CGI handles negative values for the Content-Length, so unless I'm 
missing something, we should be okay.  Someone please chime in if you 
believe otherwise.


sean finney wrote:
> hey ethan (et al),
> 
> one of the debian security peeps brought to my attention another
> possible issue with the Content-Length that might not be resolved
> by the current patch.  what if someone sends a packet of size
> INT_MAX or greater, causing an integer overflow?
> 
> 	sean
> 
> ----- Forwarded message from Sean Finney <seanius at debian.org> -----
> 
> Date: Thu, 11 May 2006 13:46:27 -0400
> From: Sean Finney <seanius at debian.org>
> To: Martin Schulze <joey at infodrom.org>
> Subject: Re: CVE-2006-2162: Buffer overflow in nagios
> 
> hey joey,
> 
> On Thu, May 11, 2006 at 05:46:16PM +0200, Martin Schulze wrote:
>>> - crafting a simple "user-agent" that can illustrate the vulnerability
>>>   by sending a negative or 0 value for content length to a nagios cgi
>>>   (it doesn't have to actually inject any shell code or anything, just
>>>   PoC would be fine by me).
>> Why user-agent?  "All" you need to do is add some variables, so that
> 
> as a general rule i feel much more comfortable having some kind of PoC
> code available that will tell me that my patch works.  granted, in this
> case it's a rather straightforward patch, but still...
> 
>> the Content-Length is either exactly INT_MAX or even larger, both
>> cause an integer overrun, which cause a negative malloc() which cause
>> a situation in which the attacker may control some memory they shouldn't.
> 
> ah yes.. good point about INT_MAX.  i'll forward this upstream as well,
> since i don't think ethan considered this.
> 
> 
> 	sean


Ethan Galstad,
Nagios Developer
---
Email: nagios at nagios.org
Website: http://www.nagios.org


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Previous message: [seanius at debian.org: Re: CVE-2006-2162: Buffer overflow in nagios]
Next message: [seanius at debian.org: Re: CVE-2006-2162: Buffer overflow in nagios]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list