[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Mon, 8 Dec 2008 15:16:07 +0300
From: Eygene Ryabinkin <rea-sec@...elabs.ru>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org
Subject: Re: CVE Request (nagios)
Andreas,
Mon, Dec 08, 2008 at 01:00:18PM +0100, Andreas Ericsson wrote:
> Eygene Ryabinkin wrote:
> > As you see, the wrong arguments were passed to the cmd_submitf for the
> > service comments -- argument 'service_desc' will be treated as integer
> > and argument 'presistent_comment' (that is essentially a boolean that is
> > simulated via 'int' type) will be treated as the pointer to a string.
> > SEGV is likely here.
> >
>
> Ah, right. Yes, that's true. however, it's not a vulnerability as it's
> doing read-only access, and it can't cause DoS as it's only the CGI
> that's affected.
It surely will cause SEGV:
-----
$ cat test.c
#include <stdio.h>
int main(void)
{
char buffer[1024];
int persistent_comment = 1;
char *current_time = "time";
char *host_name = "host name";
char *service_desc = "service";
char *comment_author = "author";
char *comment_data = "comment";
snprintf(buffer, sizeof(buffer),
"%s;%s;%d;%s;%s", current_time, host_name, service_desc,
persistent_comment, comment_author, comment_data);
return 0;
}
$ gcc -o test test.c
$ ./test
Segmentation fault: 11 (core dumped)
-----
Since CGI's could dump core and core dump starvates both disk and CPU,
then DoS for the HTTP server that hosts Nagios is still foreseeable.
But I tend to agree that this issue is of much lower interest then the
cmg.cgi's one ;)) So, probably, no CVE is really needed until someone
will show how this thing can be exploited. Remember sudo's "just one
byte" overflow (http://packetstormsecurity.org/0211-exploits/hudo.c)?
--
Eygene
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux