[Pkg-nagios-devel] possible security hole in nagios3 version in lenny
Sébastien Chaumat
euidzero at gmail.com
Mon Sep 14 09:35:43 UTC 2009
this is similar to : #404941
Regards
Sebastien
2009/9/14 Sébastien Chaumat <euidzero at gmail.com>:
> Hello,
>
> I wanted to discuss the following possible bug in nagios3 in Lenny
> because it has a potential security implication. I do not want to
> report it publicly without prio discussion.
>
> steps :
>
> 0/ nagios should be configured with a host-notify-by-email involving
> the /usr/bin/mail command :
> like :
>
> /usr/bin/printf "%b" "***** centreon Notification
> *****\n\nType:$NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState:
> $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\nDate/Time:
> $DATE$" | /usr/bin/mail -s "Host $HOSTSTATE$ alert for $HOSTNAME$!"
> $CONTACTEMAIL$
>
> 1/ as a sudoer (very important) do : /etc/init.d/nagios3 start
> 2/ as root strace -e open -f NAGIOPID -o /tmp/strace-nagios.out
> 3/ force a host down alert : this will trigger a host-notify-by-email
>
> 4/ stop the strace
> 5/ grep mailrc /tmp/strace-nagios.out
>
> in my case the .mailrc file loaded by nagios was the one of the
> unprivileged user who launched the nagios init script.
>
> Thus the HOME variable is NOT set to nagios HOME leading to possible
> local exploits.
>
> Could you please try to reproduce this and let me know your conclusions ?
>
> Thanks in advance,
> Sebastien Chaumat
>
More information about the Pkg-nagios-devel
mailing list