oss-sec mailing list archives
Re: CVE Request (nagios)
From: Eygene Ryabinkin <rea-sec () codelabs ru>
Date: Mon, 8 Dec 2008 15:16:07 +0300
Andreas, Mon, Dec 08, 2008 at 01:00:18PM +0100, Andreas Ericsson wrote:
Eygene Ryabinkin wrote:As you see, the wrong arguments were passed to the cmd_submitf for the service comments -- argument 'service_desc' will be treated as integer and argument 'presistent_comment' (that is essentially a boolean that is simulated via 'int' type) will be treated as the pointer to a string. SEGV is likely here.Ah, right. Yes, that's true. however, it's not a vulnerability as it's doing read-only access, and it can't cause DoS as it's only the CGI that's affected.
It surely will cause SEGV:
-----
$ cat test.c
#include <stdio.h>
int main(void)
{
char buffer[1024];
int persistent_comment = 1;
char *current_time = "time";
char *host_name = "host name";
char *service_desc = "service";
char *comment_author = "author";
char *comment_data = "comment";
snprintf(buffer, sizeof(buffer),
"%s;%s;%d;%s;%s", current_time, host_name, service_desc,
persistent_comment, comment_author, comment_data);
return 0;
}
$ gcc -o test test.c
$ ./test
Segmentation fault: 11 (core dumped)
-----
Since CGI's could dump core and core dump starvates both disk and CPU,
then DoS for the HTTP server that hosts Nagios is still foreseeable.
But I tend to agree that this issue is of much lower interest then the
cmg.cgi's one ;)) So, probably, no CVE is really needed until someone
will show how this thing can be exploited. Remember sudo's "just one
byte" overflow (http://packetstormsecurity.org/0211-exploits/hudo.c)?
--
Eygene
Current thread:
- CVE Request (nagios) Josh Bressers (Dec 05)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Jan Lieskovsky (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 10)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 10)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 10)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 10)
- Re: CVE Request (nagios) Jan Lieskovsky (Dec 11)
- Re: CVE Request (nagios) Steven M. Christey (Dec 16)
- Re: CVE Request (nagios) Eygene Ryabinkin (Dec 08)
- Re: CVE Request (nagios) Andreas Ericsson (Dec 08)
