Yes, I have tested this - we were able to compromise a host at a
client using this.
I think use of execve() would be fine, though wasn't sure if the loss
of variable expansion would be acceptable.
On Wed, Nov 28, 2012 at 6:36 AM, Andreas Ericsson wrote:
> On 11/27/2012 05:11 PM, Rudolph Pereira wrote:
>> Hi all,
>>
>> I submitted http://tracker.nagios.org/view.php?id=400 a while ago and
>> have had little to no response on it, even though it is a serious
>> issue.
>>
>> I am looking for suggestions on how to deal with this; given the
>> seriousness of the issue and how many users it affects I believe a
>> security vulnerability notice should go out at the very least. Should
>> I be working with ocert or some other intermediary on this?
>>
>
> Have you tested this exploit? It might be blocked by how NRPE handles
> command line arguments.
>
> One very simple way around it would otherwise be to disallow relative
> paths to commands and use execve() to execute the checks. That way,
> the plugin will get '$(lalafoo)' as an argument rather than the output
> of that command.
>
> --
> Andreas Ericsson andreas.ericsson@op5.se
> OP5 AB www.op5.se
> Tel: +46 8-230225 Fax: +46 8-230231
>
> Considering the successes of the wars on alcohol, poverty, drugs and
> terror, I think we should give some serious thought to declaring war
> on peace.
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: rudolph.pereira+nagios@occamsec.com