[Nagiosplug-devel] [ nagiosplug-Bugs-1687867 ] check_http: buffer overflow vulnerability

SourceForge.net noreply at sourceforge.net
Sun Jun 17 21:24:03 CEST 2007


Bugs item #1687867, was opened at 2007-03-25 18:37
Message generated for change (Comment added) made by hweiss
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=1687867&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General plugin execution
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 7
Private: No
Submitted By: Nobuhiro Ban (ban_nobuhiro)
Assigned to: Nobody/Anonymous (nobody)
Summary: check_http: buffer overflow vulnerability

Initial Comment:
Description:
Buffer overflows within the redir() function of check_http.c
potentially allow remote attackers to execute arbitrary code
via crafted ``Location:'' responses.
This vulnerability is caused by passing insufficient length
buffers to sscanf().

Example of crafted ``Location:'' response:
o Location: htttttttttttttttttttttttttttttttttttttttttttp://example.com/
o Location: http://example.com:1234567890123456789012345678901234567890/
o Location: http://tooooooooooooooooooooooooooooooooooooooooooooooooooo.loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.host-name.example.com/

Workaround:
Do not check untrusted web server with ``-f follow'' option.


----------------------------------------------------------------------

>Comment By: Holger Weiss (hweiss)
Date: 2007-06-17 21:24

Message:
Logged In: YES 
user_id=759506
Originator: NO

This is now fixed in CVS.  Thank you very much!

----------------------------------------------------------------------

Comment By: Nobuhiro Ban (ban_nobuhiro)
Date: 2007-06-16 20:35

Message:
Logged In: YES 
user_id=1699577
Originator: YES

Because this contains some vulnerability information,
I marked this report as confidential (private),

Over 80 days have passed, and the vulnerability exist still now.

So I open this to public.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=1687867&group_id=29880




More information about the Devel mailing list