Re: [Nagios-devel] Addressing security vulnerabilities
Posted: Mon Dec 17, 2012 1:49 pm
On 11/29/12 4:43 AM, Andreas Ericsson wrote:
> On 11/28/2012 03:46 PM, Rudolph Pereira wrote:
>> Yes, I have tested this - we were able to compromise a host at a
>> client using this.
>>
>> I think use of execve() would be fine, though wasn't sure if you loss
>> of variable expansion would be acceptable.
>>
> Shell variables have never been officially supported in NRPE, so it's
> not a huge issue. I'm not the NRPE maintainer, but I imagine that a
> patch of some sort that resolves a potential remote-shell exploit would
> be welcome. Once you have it and have contacted Eric Stanley and gotten
> some sort of response out of him, a CVE id should be procured. I can do
> that if you're unfamiliar with the process (which is really simple).
>
> If so, send me the info you've got in as brief as possible format with
> an extended explanation and description of how to exploit it and I'll
> make sure it gets posted to the right places.
>
> Thanks.
>
I have just submitted a patch for this issue. Bash command substitution
can still
enabled, but it must be done with both a configure-time option and and
configuration
file option, similar to enabling command arguments.
Please grab a copy of the current code and test it. If it looks good, we
should create a
new release, since it's been a while and there are a few other changes
that have been
committed.
Thanks,
Eric
--
Eric Stanley
___
Developer
Nagios Enterprises, LLC
Email: [email protected]
Web: www.nagios.com
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
> On 11/28/2012 03:46 PM, Rudolph Pereira wrote:
>> Yes, I have tested this - we were able to compromise a host at a
>> client using this.
>>
>> I think use of execve() would be fine, though wasn't sure if you loss
>> of variable expansion would be acceptable.
>>
> Shell variables have never been officially supported in NRPE, so it's
> not a huge issue. I'm not the NRPE maintainer, but I imagine that a
> patch of some sort that resolves a potential remote-shell exploit would
> be welcome. Once you have it and have contacted Eric Stanley and gotten
> some sort of response out of him, a CVE id should be procured. I can do
> that if you're unfamiliar with the process (which is really simple).
>
> If so, send me the info you've got in as brief as possible format with
> an extended explanation and description of how to exploit it and I'll
> make sure it gets posted to the right places.
>
> Thanks.
>
I have just submitted a patch for this issue. Bash command substitution
can still
enabled, but it must be done with both a configure-time option and and
configuration
file option, similar to enabling command arguments.
Please grab a copy of the current code and test it. If it looks good, we
should create a
new release, since it's been a while and there are a few other changes
that have been
committed.
Thanks,
Eric
--
Eric Stanley
___
Developer
Nagios Enterprises, LLC
Email: [email protected]
Web: www.nagios.com
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]