Bug#701227: [Pkg-nagios-devel] Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
Salvatore Bonaccorso schrieb am Sunday, den 03. March 2013: Control: tags -1 + patch Hi Alex On Sat, Feb 23, 2013 at 01:19:14PM +0100, Alexander Wirt wrote: On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote: On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote: In the debian package we have explicitly --enable-command-args so the Debian packages looks affected. But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be added to the above. Yeah we disable that feature by default and add some big warnings to the documentation. Nobody ever thought that command-args via nrpe are secure. How about dissalowing $() completly if command arguments in case are enabled? I tried to extract the relevant part, see attached debdiff. But it's not yet tested. In fact it looks like the patch on my disk :). I am sorry for not handling this earlier, but our new bathroom took my whole spare time in the last weeks. It should be better this week. Alex -- Alexander Wirt, formo...@formorer.de CC99 2DDD D39E 75B0 B0AA B25C D35B BC99 BC7D 020A -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701227: [Pkg-nagios-devel] Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
Hey Alex On Mon, Mar 04, 2013 at 09:06:52AM +0100, Alexander Wirt wrote: [...] In fact it looks like the patch on my disk :). I am sorry for not handling this earlier, but our new bathroom took my whole spare time in the last weeks. It should be better this week. Okay and thank you! Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701227: [Pkg-nagios-devel] Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
Control: tags -1 + patch Hi Alex On Sat, Feb 23, 2013 at 01:19:14PM +0100, Alexander Wirt wrote: On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote: On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote: In the debian package we have explicitly --enable-command-args so the Debian packages looks affected. But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be added to the above. Yeah we disable that feature by default and add some big warnings to the documentation. Nobody ever thought that command-args via nrpe are secure. How about dissalowing $() completly if command arguments in case are enabled? I tried to extract the relevant part, see attached debdiff. But it's not yet tested. Regards, Salvatore diff -u nagios-nrpe-2.13/debian/changelog nagios-nrpe-2.13/debian/changelog --- nagios-nrpe-2.13/debian/changelog +++ nagios-nrpe-2.13/debian/changelog @@ -1,3 +1,15 @@ +nagios-nrpe (2.13-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Add 08_CVE-2013-1362.dpatch patch. +If command arguments are enabled in the NRPE configuration, it was +possible to pass $() as arguments as the checking for nasty caracters +was not strict enough to catch $(). This allowed executing shell +commands under a subprocess and pass the output as a parameter to the +called script (if run under bash). CVE-2013-1362 (Closes: #701227) + + -- Salvatore Bonaccorso car...@debian.org Sun, 03 Mar 2013 23:39:37 +0100 + nagios-nrpe (2.13-2) unstable; urgency=high [ Thijs Kinkhorst ] diff -u nagios-nrpe-2.13/debian/patches/00list nagios-nrpe-2.13/debian/patches/00list --- nagios-nrpe-2.13/debian/patches/00list +++ nagios-nrpe-2.13/debian/patches/00list @@ -7,0 +8 @@ +08_CVE-2013-1362.dpatch only in patch2: unchanged: --- nagios-nrpe-2.13.orig/debian/patches/08_CVE-2013-1362.dpatch +++ nagios-nrpe-2.13/debian/patches/08_CVE-2013-1362.dpatch @@ -0,0 +1,26 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 08_CVE-2013-1362.dpatch by Salvatore Bonaccorso car...@debian.org +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: nagios-nrpe prior to 2.14 allows the passing of $() as command +## DP: arguments to execute shell commands if command arguments are +## DP: explicitly enabled. Filtering out nasty caracters is not +## DP: strict enough to disallow $(), allowing executing shell commands +## DP: under a subprocess and pass the output as a parameter to the +## DP: called script (if run under bash). + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios-nrpe~/src/nrpe.c nagios-nrpe/src/nrpe.c +--- nagios-nrpe~/src/nrpe.c2013-03-03 23:13:22.0 +0100 nagios-nrpe/src/nrpe.c 2013-03-03 23:15:51.621025795 +0100 +@@ -1749,6 +1749,10 @@ + syslog(LOG_ERR,Error: Request contained an empty command argument); + return ERROR; + } ++ if(strstr(macro_argv[x],$()) { ++ syslog(LOG_ERR,Error: Request contained a bash command substitution!); ++ return ERROR; ++ } + } + } + #endif
Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote: In the debian package we have explicitly --enable-command-args so the Debian packages looks affected. But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be added to the above. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701227: [Pkg-nagios-devel] Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote: On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote: In the debian package we have explicitly --enable-command-args so the Debian packages looks affected. But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be added to the above. Yeah we disable that feature by default and add some big warnings to the documentation. Nobody ever thought that command-args via nrpe are secure. Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands
Package: nagios-nrpe Severity: grave Tags: security Hi On bugtraq mailinglist it was reported publicly[1]. If support for command argument in the daemon are enabled then it would be possible to pass $() and possibly executing shell commands when run unter bash. Upstream has released 2.14 containing a patch and disabling bash command substitutions by default: 2.14 - 12/21/2012 - - Added configure option to allow bash command substitutions, disabled by default [bug #400] (Eric Stanley) - Patched to shutdown SSL connection completely (Jari Takkala) - Added SRC support on AIX (Thierry Bertaud) - Updated RPM SPEC file to support creating RPMs on AIX (Eric Stanley) - Updated logging to support compiling on AIX (Eric Stanley) According to [1], there is CVE-2013-1362 assigned to it. In the debian package we have explicitly --enable-command-args so the Debian packages looks affected. [1]: http://seclists.org/bugtraq/2013/Feb/119 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org