oss-sec mailing list archives
Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution
From: Martin Carpenter <mcarpenter () free fr>
Date: Tue, 22 Apr 2014 08:20:47 +0200
On Fri, 2014-04-18 at 10:14 +0800, Eduardo Tongson wrote:
Details: http://seclists.org/fulldisclosure/2014/Apr/240 This is similar to CVE-2013-1362
..
-#define NASTY_METACHARS "|`&><'\"\\[]{};" +#define NASTY_METACHARS "|`&><'\"\\[]{};\n"
I had this discussion with the Nagios security team (CC'ed) in February/March (this was also my suggested fix). Paraphrasing their response: 1. Admitting \n is "expected behavior... not a bug"(!). Motivation: permits use of \n to separate arguments coming from the client. Mmm. 2. Better: the problem can be mitigated by quoting macro arguments in the server side configuration nrpe.cfg: command[check_ssh]=/usr/local/nagios/libexec/check_ssh "$ARG1$" ^ ^ They agreed (March 21) to fix documentation and default/example configuration to contain "a better description" to this effect. That has not yet happened. There's a lot I don't like here but I think quoting macro arguments in nrpe.cfg solves the immediate problem. Martin.
Current thread:
- CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Eduardo Tongson (Apr 17)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution gremlin (Apr 17)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution John Haxby (Apr 18)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Reed Loden (Apr 18)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution John Haxby (Apr 18)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution cve-assign (Apr 21)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Eduardo Tongson (Apr 22)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Martin Carpenter (Apr 21)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution gremlin (Apr 17)