Bug#701227: [Pkg-nagios-devel] Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
Salvatore Bonaccorso schrieb am Sunday, den 03. March 2013: Control: tags -1 + patch Hi Alex On Sat, Feb 23, 2013 at 01:19:14PM +0100, Alexander Wirt wrote: On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote: On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote: In the debian package we have explicitly --enable-command-args so the Debian packages looks affected. But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be added to the above. Yeah we disable that feature by default and add some big warnings to the documentation. Nobody ever thought that command-args via nrpe are secure. How about dissalowing $() completly if command arguments in case are enabled? I tried to extract the relevant part, see attached debdiff. But it's not yet tested. In fact it looks like the patch on my disk :). I am sorry for not handling this earlier, but our new bathroom took my whole spare time in the last weeks. It should be better this week. Alex -- Alexander Wirt, formo...@formorer.de CC99 2DDD D39E 75B0 B0AA B25C D35B BC99 BC7D 020A -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701227: [Pkg-nagios-devel] Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
Hey Alex On Mon, Mar 04, 2013 at 09:06:52AM +0100, Alexander Wirt wrote: [...] In fact it looks like the patch on my disk :). I am sorry for not handling this earlier, but our new bathroom took my whole spare time in the last weeks. It should be better this week. Okay and thank you! Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701227: [Pkg-nagios-devel] Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
Control: tags -1 + patch
Hi Alex
On Sat, Feb 23, 2013 at 01:19:14PM +0100, Alexander Wirt wrote:
On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote:
On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote:
In the debian package we have explicitly --enable-command-args so the
Debian packages looks affected.
But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be
added to the above.
Yeah we disable that feature by default and add some big warnings to the
documentation. Nobody ever thought that command-args via nrpe are secure.
How about dissalowing $() completly if command arguments in case are
enabled? I tried to extract the relevant part, see attached debdiff.
But it's not yet tested.
Regards,
Salvatore
diff -u nagios-nrpe-2.13/debian/changelog nagios-nrpe-2.13/debian/changelog
--- nagios-nrpe-2.13/debian/changelog
+++ nagios-nrpe-2.13/debian/changelog
@@ -1,3 +1,15 @@
+nagios-nrpe (2.13-2.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add 08_CVE-2013-1362.dpatch patch.
+If command arguments are enabled in the NRPE configuration, it was
+possible to pass $() as arguments as the checking for nasty caracters
+was not strict enough to catch $(). This allowed executing shell
+commands under a subprocess and pass the output as a parameter to the
+called script (if run under bash). CVE-2013-1362 (Closes: #701227)
+
+ -- Salvatore Bonaccorso car...@debian.org Sun, 03 Mar 2013 23:39:37 +0100
+
nagios-nrpe (2.13-2) unstable; urgency=high
[ Thijs Kinkhorst ]
diff -u nagios-nrpe-2.13/debian/patches/00list
nagios-nrpe-2.13/debian/patches/00list
--- nagios-nrpe-2.13/debian/patches/00list
+++ nagios-nrpe-2.13/debian/patches/00list
@@ -7,0 +8 @@
+08_CVE-2013-1362.dpatch
only in patch2:
unchanged:
--- nagios-nrpe-2.13.orig/debian/patches/08_CVE-2013-1362.dpatch
+++ nagios-nrpe-2.13/debian/patches/08_CVE-2013-1362.dpatch
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 08_CVE-2013-1362.dpatch by Salvatore Bonaccorso car...@debian.org
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: nagios-nrpe prior to 2.14 allows the passing of $() as command
+## DP: arguments to execute shell commands if command arguments are
+## DP: explicitly enabled. Filtering out nasty caracters is not
+## DP: strict enough to disallow $(), allowing executing shell commands
+## DP: under a subprocess and pass the output as a parameter to the
+## DP: called script (if run under bash).
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git'
'--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr'
nagios-nrpe~/src/nrpe.c nagios-nrpe/src/nrpe.c
+--- nagios-nrpe~/src/nrpe.c2013-03-03 23:13:22.0 +0100
nagios-nrpe/src/nrpe.c 2013-03-03 23:15:51.621025795 +0100
+@@ -1749,6 +1749,10 @@
+ syslog(LOG_ERR,Error: Request contained an
empty command argument);
+ return ERROR;
+ }
++ if(strstr(macro_argv[x],$()) {
++ syslog(LOG_ERR,Error: Request contained a bash
command substitution!);
++ return ERROR;
++ }
+ }
+ }
+ #endif
Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote: In the debian package we have explicitly --enable-command-args so the Debian packages looks affected. But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be added to the above. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701227: [Pkg-nagios-devel] Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote: On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote: In the debian package we have explicitly --enable-command-args so the Debian packages looks affected. But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be added to the above. Yeah we disable that feature by default and add some big warnings to the documentation. Nobody ever thought that command-args via nrpe are secure. Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
Package: nagios-nrpe Severity: grave Tags: security Hi On bugtraq mailinglist it was reported publicly[1]. If support for command argument in the daemon are enabled then it would be possible to pass $() and possibly executing shell commands when run unter bash. Upstream has released 2.14 containing a patch and disabling bash command substitutions by default: 2.14 - 12/21/2012 - - Added configure option to allow bash command substitutions, disabled by default [bug #400] (Eric Stanley) - Patched to shutdown SSL connection completely (Jari Takkala) - Added SRC support on AIX (Thierry Bertaud) - Updated RPM SPEC file to support creating RPMs on AIX (Eric Stanley) - Updated logging to support compiling on AIX (Eric Stanley) According to [1], there is CVE-2013-1362 assigned to it. In the debian package we have explicitly --enable-command-args so the Debian packages looks affected. [1]: http://seclists.org/bugtraq/2013/Feb/119 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
