oss-sec mailing list archives
Re: CVE Request (minor) -- Two Munin graphing framework flaws
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 17 Apr 2012 23:04:56 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/16/2012 11:34 PM, Helmut Grohne wrote:
Hi Kurt, Please always CC the bug report when adding detail to it. Doing it now for you. On Mon, Apr 16, 2012 at 01:19:32PM -0600, Kurt Seifried wrote:[3] Remote users can fill /tmp filesystem: Red Hat would not consider this to be a security flaw => no RH BTS entry. Original report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668667I reread this one a few times, I'm not clear on what: ========== printf 'GET /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo
HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc
localhost 80 Provided that the filename actually exists, munin will render the image ========== means exactly, does the file vmstat-day.png need to exist where? It seems like if the image is of any size (say 20k or more) the amplification (each get request = 20k of tmp space usage) and the files have to be deleted manually it might qualify as a DoS. helmut () subdivi de can you shed more light on this?The basic requirement is that a plugin called vmstat is configured for the node localhost.localdomain. I just picked it as an example, cause it is present on my system. In practise any plugin for any host will do.
Is this the default configuration?
In addition munin parses parts of the query string. You are allowed to modify the size of the image. By choosing a path "....png?size_x=20000&size_y=20000&uniquestuff" you can do the same attack while simultaneously using a large image size. The raw image would be 381M (assuming 8bits/pixel) in this case. A png version will likely be smaller, say 4M? So now you have an amplification of 4M/request. Note that this query can get a node into swapping, because rrdtool needs to create the whole image in main memory. Hope this helps
Ouch.
Helmut
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPjkt4AAoJEBYNRVNeJnmTzqwQAKn7u4+dg9mYpMuAAC14fIYh JGQGLSRJ98s3IgH14dOO6q9nASErz5wBPhcTnTwOKOLAdbbFHU5Z1DKm+ARyLMXw XPIGHrdTb5TkWvsRKilA7iIbUhaXuMckELJj2WWi5LdHvzVLG8mEivQQKMtSY8b1 Wmp0JmDguHpqcToYq4uwYA1O22fHxwPjBFnsZ6A2HjLtMwCUkZ6WZZEuc85+v2C5 utfJm3AYSRgW1mI24kLxTIsige88txXZpUt44Bx3T26UkUz2X4ebbO/z5slqXt7n RLZ4IDWEs03yau8vJD6vuNtOvQ+p3SmQYeRr6GvEXYrem+mTPB6toKLUeRUr7fNR +RO4syrQ1KMoGfcAlNJ9ide2qZHsByXseriSJ02yb0VYKqYD1peUo1wR3Kw/EBnC lnWNfb54JmwJih4qzEpE/SKoVEgxTKfuJGT4QcZ1PDrABQSfOWc4v3bughgLNH6m c/voNTCuk7XI0//hCj4qF9jx/SPAB0xnnxnhqgmPTCBUVB3WHlSK0V335DV4KIGm 9c4GqdEJ0lxtKWJpwpZbNBU00LksXpHFQHMjcJ+0Bc0B1CrbaL0Hi9+1/kWH0aYG X+N6Ah6/eY1bP78B1rH91CqcSRm5fouIbY5QSraN7ZGvrKXAvrQrnRqdEj+XKYUL YTFUs403T/QOG6KuIGhg =/Jxz -----END PGP SIGNATURE-----
Current thread:
- CVE Request (minor) -- Two Munin graphing framework flaws Jan Lieskovsky (Apr 16)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 16)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Helmut Grohne (Apr 16)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 17)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Helmut Grohne (Apr 17)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 18)
- Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws Kenyon Ralph (Apr 18)
- Re: [Packaging] Bug#668667: [oss-security] CVE Request (minor) -- Two Munin graphing framework flaws Holger Levsen (Apr 18)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Helmut Grohne (Apr 16)
- Re: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 16)
- Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws Steve Schnepp (Apr 27)
- Re: Bug#668667: CVE Request (minor) -- Two Munin graphing framework flaws Kurt Seifried (Apr 28)