[Pkg-nagios-devel] possible security hole in nagios3 version in lenny
Sébastien Chaumat
euidzero at gmail.com
Mon Sep 14 09:14:22 UTC 2009
Hello,
I wanted to discuss the following possible bug in nagios3 in Lenny
because it has a potential security implication. I do not want to
report it publicly without prio discussion.
steps :
0/ nagios should be configured with a host-notify-by-email involving
the /usr/bin/mail command :
like :
/usr/bin/printf "%b" "***** centreon Notification
*****\n\nType:$NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState:
$HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\nDate/Time:
$DATE$" | /usr/bin/mail -s "Host $HOSTSTATE$ alert for $HOSTNAME$!"
$CONTACTEMAIL$
1/ as a sudoer (very important) do : /etc/init.d/nagios3 start
2/ as root strace -e open -f NAGIOPID -o /tmp/strace-nagios.out
3/ force a host down alert : this will trigger a host-notify-by-email
4/ stop the strace
5/ grep mailrc /tmp/strace-nagios.out
in my case the .mailrc file loaded by nagios was the one of the
unprivileged user who launched the nagios init script.
Thus the HOME variable is NOT set to nagios HOME leading to possible
local exploits.
Could you please try to reproduce this and let me know your conclusions ?
Thanks in advance,
Sebastien Chaumat
More information about the Pkg-nagios-devel
mailing list