|
Message-ID: <bBZl8Do2po3a5+T7wiqh7TIrUF8@kjaK+/sQ5DW5981v71UogZJPf/0> Date: Mon, 8 Dec 2008 15:16:07 +0300 From: Eygene Ryabinkin <rea-sec@...elabs.ru> To: oss-security@...ts.openwall.com Cc: coley@...re.org Subject: Re: CVE Request (nagios) Andreas, Mon, Dec 08, 2008 at 01:00:18PM +0100, Andreas Ericsson wrote: > Eygene Ryabinkin wrote: > > As you see, the wrong arguments were passed to the cmd_submitf for the > > service comments -- argument 'service_desc' will be treated as integer > > and argument 'presistent_comment' (that is essentially a boolean that is > > simulated via 'int' type) will be treated as the pointer to a string. > > SEGV is likely here. > > > > Ah, right. Yes, that's true. however, it's not a vulnerability as it's > doing read-only access, and it can't cause DoS as it's only the CGI > that's affected. It surely will cause SEGV: ----- $ cat test.c #include <stdio.h> int main(void) { char buffer[1024]; int persistent_comment = 1; char *current_time = "time"; char *host_name = "host name"; char *service_desc = "service"; char *comment_author = "author"; char *comment_data = "comment"; snprintf(buffer, sizeof(buffer), "%s;%s;%d;%s;%s", current_time, host_name, service_desc, persistent_comment, comment_author, comment_data); return 0; } $ gcc -o test test.c $ ./test Segmentation fault: 11 (core dumped) ----- Since CGI's could dump core and core dump starvates both disk and CPU, then DoS for the HTTP server that hosts Nagios is still foreseeable. But I tend to agree that this issue is of much lower interest then the cmg.cgi's one ;)) So, probably, no CVE is really needed until someone will show how this thing can be exploited. Remember sudo's "just one byte" overflow (http://packetstormsecurity.org/0211-exploits/hudo.c)? -- Eygene
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.