Vulnerabilities > CVE-2007-5198 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nagios Plugins

CVSS 6.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

nagios

CWE-119

nessus

exploit available

NVD

Published: 2007-10-04

Updated: 2011-03-08

Summary

Buffer overflow in the redir function in check_http.c in Nagios Plugins before 1.4.10, when running with the -f (follow) option, allows remote web servers to execute arbitrary code via Location header responses (redirects) with a large number of leading "L" characters.

Vulnerable Configurations

Part	Description	Count
Application	Nagios Nagios Plugins 1.3.0 Nagios Plugins 1.3.1 Nagios Plugins 1.4 Nagios Plugins 1.4.1 Nagios Plugins 1.4.2 Nagios Plugins 1.4.3 Nagios Plugins 1.4.4 Nagios Plugins 1.4.5 Nagios Plugins 1.4.6 Nagios Plugins 1.4.7 Nagios Plugins 1.4.8 Nagios Plugins 1.4.9	12

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

description	Nagios Plugins 1.4.2/1.4.9 Location Header Remote Buffer Overflow Vulnerability. CVE-2007-5198. Dos exploit for linux platform
id	EDB-ID:30646
last seen	2016-02-03
modified	2007-07-16
published	2007-07-16
reporter	Nobuhiro Ban
source	https://www.exploit-db.com/download/30646/
title	Nagios Plugins 1.4.2/1.4.9 Location Header Remote Buffer Overflow Vulnerability

Nessus

NASL family	SuSE Local Security Checks
NASL id	SUSE_NAGIOS-PLUGINS-4621.NASL
description	fix possible buffer overflow during HTTP Location header parsing in check_http (CVE-2007-5198) fix possible buffer overflow during snmpget parsing in check_snmp (CVE-2007-5623)
last seen	2020-06-01
modified	2020-06-02
plugin id	28356
published	2007-11-29
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/28356
title	openSUSE 10 Security Update : nagios-plugins (nagios-plugins-4621)
code	if ( !defined_func("nasl_level") \|\| nasl_level() < 61201 \|\| (nasl_level() >= 70000 && nasl_level() < 70105) \|\| (nasl_level() >= 70200 && nasl_level() < 70203) \|\| (nasl_level() >= 80000 && nasl_level() < 80502) ) exit(0); # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update nagios-plugins-4621. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(28356); script_version ("1.9"); script_cvs_date("Date: 2019/10/24 13:56:42"); script_cve_id("CVE-2007-5198", "CVE-2007-5623"); script_name(english:"openSUSE 10 Security Update : nagios-plugins (nagios-plugins-4621)"); script_summary(english:"Check for the nagios-plugins-4621 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "fix possible buffer overflow during HTTP Location header parsing in check_http (CVE-2007-5198) fix possible buffer overflow during snmpget parsing in check_snmp (CVE-2007-5623)" ); script_set_attribute( attribute:"solution", value:"Update the affected nagios-plugins packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nagios-plugins"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nagios-plugins-extras"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1\|SUSE10\.2\|SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1 / 10.2 / 10.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586\|i686\|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"nagios-plugins-1.4.2-16.6") ) flag++; if ( rpm_check(release:"SUSE10.1", reference:"nagios-plugins-extras-1.4.2-16.6") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"nagios-plugins-1.4.5-8") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"nagios-plugins-extras-1.4.5-8") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"nagios-plugins-1.4.9-19.3") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"nagios-plugins-extras-1.4.9-19.3") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nagios-plugins / nagios-plugins-extras"); }

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_7453C85D783011DCB4C80016179B2DD5.NASL
description	A Secunia Advisory reports : The vulnerability is caused due to a boundary error within the redir() function in check_http.c when processing HTTP Location : header information. This can be exploited to cause a buffer overflow by returning an overly long string in the
last seen	2020-06-01
modified	2020-06-02
plugin id	27044
published	2007-10-15
reporter	This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/27044
title	FreeBSD : nagios-plugins -- Long Location Header Buffer Overflow Vulnerability (7453c85d-7830-11dc-b4c8-0016179b2dd5)

NASL family	SuSE Local Security Checks
NASL id	SUSE_NAGIOS-PLUGINS-4624.NASL
description	fix possible buffer overflow during HTTP Location header parsing in check_http (CVE-2007-5198) fix possible buffer overflow during snmpget parsing in check_snmp. (CVE-2007-5623)
last seen	2020-06-01
modified	2020-06-02
plugin id	29526
published	2007-12-13
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/29526
title	SuSE 10 Security Update : nagios plugins (ZYPP Patch Number 4624)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2008-3146.NASL
description	Upstream released a new version. This also fixes CVE-2007-5198 (#315101). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	31981
published	2008-04-18
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/31981
title	Fedora 7 : nagios-plugins-1.4.11-2.fc7 (2008-3146)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2008-3098.NASL
description	- Tue Mar 18 2008 Tom
last seen	2020-06-01
modified	2020-06-02
plugin id	31978
published	2008-04-18
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/31978
title	Fedora 8 : nagios-2.11-3.fc8 (2008-3098)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-532-1.NASL
description	Nobuhiro Ban discovered that check_http in nagios-plugins did not properly sanitize its input when following redirection requests. A malicious remote web server could cause a denial of service or possibly execute arbitrary code as the user. (CVE-2007-5198) Aravind Gottipati discovered that sslutils.c in nagios-plugins did not properly reset pointers to NULL. A malicious remote web server could cause a denial of service. Aravind Gottipati discovered that check_http in nagios-plugins did not properly calculate how much memory to reallocate when following redirection requests. A malicious remote web server could cause a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	28138
published	2007-11-10
reporter	Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/28138
title	Ubuntu 6.06 LTS : nagios-plugins vulnerability (USN-532-1)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1495.NASL
description	Several local/remote vulnerabilities have been discovered in two of the plugins for the Nagios network monitoring and management system. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-5198 A buffer overflow has been discovered in the parser for HTTP Location headers (present in the check_http module). - CVE-2007-5623 A buffer overflow has been discovered in the check_snmp module.
last seen	2020-06-01
modified	2020-06-02
plugin id	31055
published	2008-02-14
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/31055
title	Debian DSA-1495-1 : nagios-plugins - buffer overflows

NASL family	SuSE Local Security Checks
NASL id	SUSE9_11953.NASL
description	fix possible buffer overflow during HTTP Location header parsing in check_http (CVE-2007-5198) fix possible buffer overflow during snmpget parsing in check_snmp. (CVE-2007-5623)
last seen	2020-06-01
modified	2020-06-02
plugin id	41162
published	2009-09-24
reporter	This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/41162
title	SuSE9 Security Update : nagios plugins (YOU Patch Number 11953)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200711-11.NASL
description	The remote host is affected by the vulnerability described in GLSA-200711-11 (Nagios Plugins: Two buffer overflows) fabiodds reported a boundary checking error in the
last seen	2020-06-01
modified	2020-06-02
plugin id	27846
published	2007-11-09
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/27846
title	GLSA-200711-11 : Nagios Plugins: Two buffer overflows

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2008-3061.NASL
description	Upstream released a new version. This also fixes CVE-2007-5198 (#315101). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	31975
published	2008-04-18
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/31975
title	Fedora 8 : nagios-plugins-1.4.11-2.fc8 (2008-3061)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Exploit-Db

Nessus

References