Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 22 Apr 2014 08:20:47 +0200
From: Martin Carpenter <mcarpenter@...e.fr>
To: oss-security@...ts.openwall.com
Cc: security@...ios.com
Subject: Re: CVE Request: Nagios Remote Plugin Executor <=
 2.15 Remote Command Execution

On Fri, 2014-04-18 at 10:14 +0800, Eduardo Tongson wrote:
> Details: http://seclists.org/fulldisclosure/2014/Apr/240
> This is similar to CVE-2013-1362
..
> -#define NASTY_METACHARS         "|`&><'\"\\[]{};"
> +#define NASTY_METACHARS         "|`&><'\"\\[]{};\n"

I had this discussion with the Nagios security team (CC'ed) in
February/March (this was also my suggested fix). Paraphrasing their
response:
1. Admitting \n is "expected behavior... not a bug"(!). Motivation:
permits use of \n to separate arguments coming from the client. Mmm.
2. Better: the problem can be mitigated by quoting macro arguments in
the server side configuration nrpe.cfg:

command[check_ssh]=/usr/local/nagios/libexec/check_ssh "$ARG1$"
                                                       ^      ^

They agreed (March 21) to fix documentation and default/example
configuration to contain "a better description" to this effect. That has
not yet happened.

There's a lot I don't like here but I think quoting macro arguments in
nrpe.cfg solves the immediate problem.

Martin.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ