[TriLUG] Nagios plugin check_http segmentation fault - potential for buffer overflow?
David McDowell
turnpike420 at gmail.com
Wed Nov 22 15:15:52 EST 2006
OK, so there is an issue there. How about the other part then, why
would it return green "OK" to nagios? :)
thanks ian, you rock!
David
On 11/22/06, Ian Kilgore <ian at trilug.org> wrote:
> On Wed, Nov 22, 2006 at 03:01:00PM -0500, Ian Kilgore wrote:
> > while (j < len - 2) {
> I know, I know, I'm replying to myself. I'm sorry. Here is a cookie.
>
> To clarify, len is size_t. When len is <2, this becomes:
>
> while (j < big number depending on platform) {
>
> At the start of base64(), a buffer is allocated. When len is one, that
> buffer is
> (len + 2) / 3 * 4 + 1 = 5 bytes big. "big number depending on platform"
> is more than five :)
>
> Then stuff like this happens inside the loop:
> buf[i++] = base64_table[bin[j] >> 2];
>
> 'i' does not get smaller, and gets incremented a few times in the body
> of the loop, so after a bit, base64() starts to write outside of buf.
> So this is a buffer overflow, but I'm not sure if it can be exploited.
>
> Even if it could be exploited, would it really get you anywhere? :)
>
>
> --
> Ian Kilgore
> echo "pfxz at pfxz.trw" | tr pzfwxt ikagno
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFFZK6CdzZ1vlGDxu4RAvQoAKCuGtSR2HB66lXD9DBgEQ9kckqXywCfYArY
> fHLlPQbhTabNEvSOy5EtxKY=
> =zDzt
> -----END PGP SIGNATURE-----
>
>
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>
>
More information about the TriLUG
mailing list