Nasty_metachars issue in NRPE 4.0.3

[mohan23]

Hi Team,

recently we have upgraded nrpe on all our client rhel7 servers and we are seeing illegal metachars issue in client servers for nrpe

Jul 20 18:28:22 host-001 nrpe[47299]: Error: Request contained illegal metachars!
Jul 20 18:28:22 host-001 nrpe[47299]: Client request from nagioshost was invalid, bailing out...
Jul 20 18:28:23 host-001 nrpe[47302]: Error: Request contained illegal metachars!
Jul 20 18:28:23 host-001 nrpe[47302]: Client request from nagioshost was invalid, bailing out...

But as per below git hub changelog from nagios enterprise,, it says "Fixed nasty_metachars not being read from config file (#235) (Sebastian Wolf)"

https://github.com/NagiosEnterprises/nr ... ANGELOG.md

Below is the command and argument im running from nagios server and error message im getting

/usr/lib64/nagios/plugins/check_nrpe -u -t 60 -H host -c check_procs_args -a '-c 1: -C java --ereg-argument-array="-Dcatalina\.(home|base)=/srv/solrSlaveTcSrv"'
CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected).

Below is the option im adding in nrpe.cfg for overriding nasty_metchars

nasty_metachars="|`&><'\\[]{};\r\n"

Can you let me know if overriding nasty_metachars is really fixed on nrpe 4.0.3 version of nrpe agent

Appreciate quick help on this.

[scottwilkerson]

Your arguments contains the pipe | and they are in the nasty_metachars list, so the request is discarded

[scottwilkerson]

https://github.com/NagiosEnterprises/nr ... characters

[mohan23]

yes, But i want to override this by adding nasty_metachars entry in nrpe.cfg. even the the latest version nrpe fixed bug says the same that we can override illegal metachars by adding entry with nasty_metachars="|`&><'\\[]{};\r\n" in nrpe.cfg

[mohan23]

Even request gets rejected without pipe symbol also, i tried running same command like below without | symbol , its gives the error message saying illegal metachars

[root@nagioshost /]# /usr/lib64/nagios/plugins/check_nrpe -u -t 60 -H host -c check_procs_args -a '-c 1: -C java --ereg-argument-array="-Dcatalina.(home,base)=/srv/solrSlaveTcSrv"'
CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected).


Jul 20 23:56:54 host nrpe[9389]: Error: Request contained illegal metachars!
Jul 20 23:56:54 host nrpe[9389]: Client request from nagioshost was invalid, bailing out...
Jul 20 23:56:54 host nrpe[9391]: Error: Request contained illegal metachars!
Jul 20 23:56:54 host nrpe[9391]: Client request from nagioshost was invalid, bailing out...

Even security.md that you provided says i can override by adding this flag

Nasty Metacharacters
To help prevent some nasty things from being done by evil clients, the following metacharacters are not allowed in client command arguments:

| ` & > < ' \ [ ] { } ; ! \r \n
You can override these defaults by adjusting the nasty_metachars flag in the config file.

Any client request which contains the above mentioned metachars is discarded.

[scottwilkerson]

I also noticed you have this

Code: Select all

nasty_metachars="|`&><'\\[]{};\r\n"

Being they you have " tin this field, the double quote would be considered a nasty metachar

try

Code: Select all

nasty_metachars=|`&><'\\[]{};\r\n

then restart NRPE

[mohan23]

Hi Scott,

Thank you for your reply. i tried adding nasty_metachars entry like you suggested and still im getting issue with \ and | symbols.

[root@nagios /]# /usr/lib64/nagios/plugins/check_nrpe -u -t 60 -H host -c check_procs_args -a '-c 1: -C java --ereg-argument-array="-Dcatalina\.(home|base)=/srv/solrSlaveTcSrv"'
CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected).

on client machine, im still seeing logs with illegal characters
Jul 21 18:15:17 host nrpe[68915]: Error: Request contained illegal metachars!
Jul 21 18:15:17 host nrpe[68915]: Client request from nagios was invalid, bailing out...


Can you please suggest what else am i missing here?

[scottwilkerson]

Yes, if you wanted to allow the | and \ you would need to change this to:

Code: Select all

nasty_metachars=`&><'[]{};\r\n

removing the | and \\

I do want to note that allowing these chars on arguments does pose a risk for unintended command execution, and it may be nest to hard-code these special commands and not pass arguments for them.