Re: CVE Request (nagios)

[Eygene Ryabinkin <rea-sec () codelabs ru>]

Andreas,

Mon, Dec 08, 2008 at 01:00:18PM +0100, Andreas Ericsson wrote:
> Eygene Ryabinkin wrote:
> > As you see, the wrong arguments were passed to the cmd_submitf for the
> > service comments -- argument 'service_desc' will be treated as integer
> > and argument 'presistent_comment' (that is essentially a boolean that is
> > simulated via 'int' type) will be treated as the pointer to a string.
> > SEGV is likely here.
>
> Ah, right. Yes, that's true. however, it's not a vulnerability as it's
> doing read-only access, and it can't cause DoS as it's only the CGI
> that's affected.

It surely will cause SEGV:
-----
$ cat test.c
#include <stdio.h>

int main(void)
{
        char buffer[1024];
        int persistent_comment = 1;
        char *current_time = "time";
        char *host_name = "host name";
        char *service_desc = "service";
        char *comment_author = "author";
        char *comment_data = "comment";

        snprintf(buffer, sizeof(buffer),
            "%s;%s;%d;%s;%s", current_time, host_name, service_desc,
            persistent_comment, comment_author, comment_data);
        return 0;
}
$ gcc -o test test.c
$ ./test
Segmentation fault: 11 (core dumped)
-----

Since CGI's could dump core and core dump starvates both disk and CPU,
then DoS for the HTTP server that hosts Nagios is still foreseeable.
But I tend to agree that this issue is of much lower interest then the
cmg.cgi's one ;))  So, probably, no CVE is really needed until someone
will show how this thing can be exploited.  Remember sudo's "just one
byte" overflow (http://packetstormsecurity.org/0211-exploits/hudo.c)?
-- 
Eygene