oss-sec mailing list archives

Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution

From: Martin Carpenter <mcarpenter () free fr>
Date: Tue, 22 Apr 2014 08:20:47 +0200

On Fri, 2014-04-18 at 10:14 +0800, Eduardo Tongson wrote:

Details: http://seclists.org/fulldisclosure/2014/Apr/240
This is similar to CVE-2013-1362

..

-#define NASTY_METACHARS         "|`&><'\"\\[]{};"
+#define NASTY_METACHARS         "|`&><'\"\\[]{};\n"


I had this discussion with the Nagios security team (CC'ed) in
February/March (this was also my suggested fix). Paraphrasing their
response:
1. Admitting \n is "expected behavior... not a bug"(!). Motivation:
permits use of \n to separate arguments coming from the client. Mmm.
2. Better: the problem can be mitigated by quoting macro arguments in
the server side configuration nrpe.cfg:

command[check_ssh]=/usr/local/nagios/libexec/check_ssh "$ARG1$"
                                                       ^      ^

They agreed (March 21) to fix documentation and default/example
configuration to contain "a better description" to this effect. That has
not yet happened.

There's a lot I don't like here but I think quoting macro arguments in
nrpe.cfg solves the immediate problem.

Martin.

Current thread:

CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Eduardo Tongson (Apr 17)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution gremlin (Apr 17)
  - Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution John Haxby (Apr 18)
    - Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Reed Loden (Apr 18)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution cve-assign (Apr 21)
  - Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Eduardo Tongson (Apr 22)
- Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Martin Carpenter (Apr 21)