You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 15, 2019. It is now read-only.
Assignee: ricardo
Status: Resolved (closed on 2013-12-03 15:42:13 +00:00)
Target Version: 1.10.2
Last Update: 2014-12-08 09:21:44 +00:00 (in Redmine)
Icinga Version: 1.10.0
OS Version: any
Info from DTAG Group Information Security:
a) application
b) problem
c) CVSS
d) detailed description
e) reference / position in the source code
f) recommendation
a) Icinga 1.9.1
b) Buffer Overflow
c) 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d) The icinga web gui is susceptible to several buffer overflow flaws, which can be triggered as a logged on user. A remote attacker may utilize a CSRF (cross site request forgery) attack vector against a logged in user to exploit this flaw remotely. Depending on the target system, this may result in code execution and eventually full compromise of the icinga server.
All occurences of this flaw are a result of incorrect string handling of CGI parameters. Although the flaw can be found in several locations of the code, it follows the same pattern, which should be discussed in detail. All susceptible code locations look like the following (annotations on the left side, explained below)
The function defines an empty char array of length MAX_INPUT_BUFFER
Depending of the value of CGI_ID (which is the filename of the cgi calling this function), a string is concatenated to the empty array. At this point, the string "url" has a length depending on the CGI_ID
Then the user submitted query string checked for length < MAX_INPUT_BUFFER. This is done to prevent buffer overflows in a copy routine which is called at a later point. However, this check is not correct, as it does not take the length of the already copied string into account, which was performed in step 2
The user submitted query string is copied into the char array "stripped_query_string". This is done to sanitize the input values for displaying
From the user submitted query string, all relevant parameters are extracted using a modified strtok function
At this point, the buffer overflow happens as a result of a miscalculation of the availiable space in the "url" array. The strcat copies the user submitted valued right behind the already copied string from step 2. The resulting string may exceed the size of the allocated space of url (MAX_INPUT_BUFFER), which eventually results in a buffer overflow.
This memory corruption condition may result in controlling the program flow by modifying the stack content, which may finally lead to arbitrary code execution on the icinga server.
e) The flaw can be found in multiple locations of the code base. Following files/functions are affected:
cgi/cgiutils.c: display_nav_table
cgi/cgiutils.c: page_limit_selector
cgi/cgiutils.c: print_export_link
cgi/cgiutils.c: page_num_selector
cgi/status.c: status_page_num_selector
cgi/config.c display_command_expansion
f) Unsafe API calls such as "strcat" should be avoided, if possible. Free space of the destination buffer should be calculated correctly to prevent buffer overflows. In the above example the length of the string, which has been copied into the "url" variable, should be taken into account before executing the strcat API call.
classic-ui: fix possible buffer overflows #5250
Add checks to functions using strcat. Now the legth of the resulting
string gets calculated and checked if it would exceed the max length
for this char array.
Thanks to DTAG Group Information Security for the findings.
refs: #5250
whatthecommit: fixed my stupidness ...
classic-ui: fix possible buffer overflows #5250
Add checks to functions using strcat. Now the legth of the resulting
string gets calculated and checked if it would exceed the max length
for this char array.
Thanks to DTAG Group Information Security for the findings.
backported to 1.9
refs: #5250
whatthecommit: fixed my stupidness ...
classic-ui: fix possible buffer overflows #5250
Add checks to functions using strcat. Now the legth of the resulting
string gets calculated and checked if it would exceed the max length
for this char array.
Thanks to DTAG Group Information Security for the findings.
backported to 1.8
refs: #5250
whatthecommit: fixed my stupidness ...
The text was updated successfully, but these errors were encountered:
This issue has been migrated from Redmine: https://dev.icinga.com/issues/5250
Created by ricardo on 2013-12-02 20:38:21 +00:00
Assignee: ricardo
Status: Resolved (closed on 2013-12-03 15:42:13 +00:00)
Target Version: 1.10.2
Last Update: 2014-12-08 09:21:44 +00:00 (in Redmine)
Info from DTAG Group Information Security:
a) application
b) problem
c) CVSS
d) detailed description
e) reference / position in the source code
f) recommendation
a) Icinga 1.9.1
b) Buffer Overflow
c) 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
d) The icinga web gui is susceptible to several buffer overflow flaws, which can be triggered as a logged on user. A remote attacker may utilize a CSRF (cross site request forgery) attack vector against a logged in user to exploit this flaw remotely. Depending on the target system, this may result in code execution and eventually full compromise of the icinga server.
All occurences of this flaw are a result of incorrect string handling of CGI parameters. Although the flaw can be found in several locations of the code, it follows the same pattern, which should be discussed in detail. All susceptible code locations look like the following (annotations on the left side, explained below)
This memory corruption condition may result in controlling the program flow by modifying the stack content, which may finally lead to arbitrary code execution on the icinga server.
e) The flaw can be found in multiple locations of the code base. Following files/functions are affected:
cgi/cgiutils.c: display_nav_table
cgi/cgiutils.c: page_limit_selector
cgi/cgiutils.c: print_export_link
cgi/cgiutils.c: page_num_selector
cgi/status.c: status_page_num_selector
cgi/config.c display_command_expansion
f) Unsafe API calls such as "strcat" should be avoided, if possible. Free space of the destination buffer should be calculated correctly to prevent buffer overflows. In the above example the length of the string, which has been copied into the "url" variable, should be taken into account before executing the strcat API call.
Attachments
Changesets
2013-12-03 08:45:04 +00:00 by ricardo 3c002b7
2013-12-03 15:30:35 +00:00 by ricardo aaa6ef0
2013-12-13 11:29:55 +00:00 by ricardo eaecd28
2013-12-13 11:41:10 +00:00 by ricardo cdb7890
The text was updated successfully, but these errors were encountered: