Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1398147647.27506.158.camel@juliet.mcarpenter.org>
Date: Tue, 22 Apr 2014 08:20:47 +0200
From: Martin Carpenter <mcarpenter@...e.fr>
To: oss-security@...ts.openwall.com
Cc: security@...ios.com
Subject: Re: CVE Request: Nagios Remote Plugin Executor <=
 2.15 Remote Command Execution

On Fri, 2014-04-18 at 10:14 +0800, Eduardo Tongson wrote:
> Details: http://seclists.org/fulldisclosure/2014/Apr/240
> This is similar to CVE-2013-1362
..
> -#define NASTY_METACHARS         "|`&><'\"\\[]{};"
> +#define NASTY_METACHARS         "|`&><'\"\\[]{};\n"

I had this discussion with the Nagios security team (CC'ed) in
February/March (this was also my suggested fix). Paraphrasing their
response:
1. Admitting \n is "expected behavior... not a bug"(!). Motivation:
permits use of \n to separate arguments coming from the client. Mmm.
2. Better: the problem can be mitigated by quoting macro arguments in
the server side configuration nrpe.cfg:

command[check_ssh]=/usr/local/nagios/libexec/check_ssh "$ARG1$"
                                                       ^      ^

They agreed (March 21) to fix documentation and default/example
configuration to contain "a better description" to this effect. That has
not yet happened.

There's a lot I don't like here but I think quoting macro arguments in
nrpe.cfg solves the immediate problem.

Martin.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.