oss-security - Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <20140418011605.5524ce40.reed@reedloden.com>
Date: Fri, 18 Apr 2014 01:16:05 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Nagios Remote Plugin Executor <=
 2.15 Remote Command Execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 18 Apr 2014 09:03:17 +0100
John Haxby <john.haxby@...cle.com> wrote:

> And ‘$’   you have ` but you don’t guard against $(do something unpleasant).

See the original advisory
(http://seclists.org/fulldisclosure/2014/Apr/240), which calls bash
command substitutions out as being handled already.

Specifically:

""""
The code is also making sure that arguments do not contain bash command
substitution i.e. $(ps aux)

if(strstr(macro_argv[x],"$(")) {
        syslog(LOG_ERR,"Error: Request contained a bash command
substitution!"); return ERROR;
""""

~reed
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iKYEARECAGYFAlNQ30xfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDZCNTZGOUFDMDdCNjg1RDdEQzQ1NjBEQTZC
QTIyMjI2RjNDMzNENUEACgkQa6IiJvPDPVojoQCfanlDh9kJQi2iZB4JX55fGoL6
hqsAoNhC4WFK/R3CqUdu6XfZObfnyWFY
=KpWS
-----END PGP SIGNATURE-----

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.