Re: CVE Request (minor) -- Two Munin graphing framework flaws

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2012 11:34 PM, Helmut Grohne wrote:
> Hi Kurt,
>
> Please always CC the bug report when adding detail to it. Doing it
> now for you.
>
> On Mon, Apr 16, 2012 at 01:19:32PM -0600, Kurt Seifried wrote:
> > > [3] Remote users can fill /tmp filesystem: Red Hat would not 
> > > consider this to be a security flaw => no RH BTS entry.
> > >
> > > Original report: 
> > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668667
> >
> > I reread this one a few times, I'm not clear on what:
> >
> > ========== printf 'GET 
> > /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo
HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc
> > localhost 80
> >
> > Provided that the filename actually exists, munin will render the
> > image ==========
> >
> > means exactly, does the file vmstat-day.png need to exist where?
> > It seems like if the image is of any size (say 20k or more) the 
> > amplification (each get request = 20k of tmp space usage) and
> > the files have to be deleted manually it might qualify as a DoS.
> >
> > helmut () subdivi de can you shed more light on this?
>
> The basic requirement is that a plugin called vmstat is configured
> for the node localhost.localdomain. I just picked it as an example,
> cause it is present on my system. In practise any plugin for any
> host will do.

Is this the default configuration?

> In addition munin parses parts of the query string. You are allowed
> to modify the size of the image. By choosing a path 
> "....png?size_x=20000&size_y=20000&uniquestuff" you can do the
> same attack while simultaneously using a large image size. The raw
> image would be 381M (assuming 8bits/pixel) in this case. A png
> version will likely be smaller, say 4M? So now you have an
> amplification of 4M/request. Note that this query can get a node
> into swapping, because rrdtool needs to create the whole image in
> main memory.
>
> Hope this helps

Ouch.

> Helmut


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPjkt4AAoJEBYNRVNeJnmTzqwQAKn7u4+dg9mYpMuAAC14fIYh
JGQGLSRJ98s3IgH14dOO6q9nASErz5wBPhcTnTwOKOLAdbbFHU5Z1DKm+ARyLMXw
XPIGHrdTb5TkWvsRKilA7iIbUhaXuMckELJj2WWi5LdHvzVLG8mEivQQKMtSY8b1
Wmp0JmDguHpqcToYq4uwYA1O22fHxwPjBFnsZ6A2HjLtMwCUkZ6WZZEuc85+v2C5
utfJm3AYSRgW1mI24kLxTIsige88txXZpUt44Bx3T26UkUz2X4ebbO/z5slqXt7n
RLZ4IDWEs03yau8vJD6vuNtOvQ+p3SmQYeRr6GvEXYrem+mTPB6toKLUeRUr7fNR
+RO4syrQ1KMoGfcAlNJ9ide2qZHsByXseriSJ02yb0VYKqYD1peUo1wR3Kw/EBnC
lnWNfb54JmwJih4qzEpE/SKoVEgxTKfuJGT4QcZ1PDrABQSfOWc4v3bughgLNH6m
c/voNTCuk7XI0//hCj4qF9jx/SPAB0xnnxnhqgmPTCBUVB3WHlSK0V335DV4KIGm
9c4GqdEJ0lxtKWJpwpZbNBU00LksXpHFQHMjcJ+0Bc0B1CrbaL0Hi9+1/kWH0aYG
X+N6Ah6/eY1bP78B1rH91CqcSRm5fouIbY5QSraN7ZGvrKXAvrQrnRqdEj+XKYUL
YTFUs403T/QOG6KuIGhg
=/Jxz
-----END PGP SIGNATURE-----