[Pkg-nagios-devel] Bug#701227: Bug#701227: nagios-nrpe: CVE-2013-1362: allows the passing of $() as command arguments to execute shell commands

Sun Mar 3 22:41:47 UTC 2013

Control: tags -1 + patch

Hi Alex

On Sat, Feb 23, 2013 at 01:19:14PM +0100, Alexander Wirt wrote:
> On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote:
> 
> > On Sat, Feb 23, 2013 at 08:33:20AM +0100, Salvatore Bonaccorso wrote:
> > > In the debian package we have explicitly --enable-command-args so the
> > > Debian packages looks affected.
> > 
> > But needs to be explicitly enabled in /etc/nagios/nrpe.cfg, should be
> > added to the above.
> Yeah we disable that feature by default and add some big warnings to the
> documentation. Nobody ever thought that command-args via nrpe are secure. 

How about dissalowing $() completly if command arguments in case are
enabled? I tried to extract the relevant part, see attached debdiff.
But it's not yet tested.

Regards,
Salvatore
-------------- next part --------------
diff -u nagios-nrpe-2.13/debian/changelog nagios-nrpe-2.13/debian/changelog

--- nagios-nrpe-2.13/debian/changelog
+++ nagios-nrpe-2.13/debian/changelog
@@ -1,3 +1,15 @@
+nagios-nrpe (2.13-2.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Add 08_CVE-2013-1362.dpatch patch.
+    If command arguments are enabled in the NRPE configuration, it was
+    possible to pass $() as arguments as the checking for nasty caracters
+    was not strict enough to catch $(). This allowed executing shell
+    commands under a subprocess and pass the output as a parameter to the
+    called script (if run under bash). CVE-2013-1362 (Closes: #701227)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sun, 03 Mar 2013 23:39:37 +0100
+
 nagios-nrpe (2.13-2) unstable; urgency=high
 
   [ Thijs Kinkhorst ]
diff -u nagios-nrpe-2.13/debian/patches/00list nagios-nrpe-2.13/debian/patches/00list
--- nagios-nrpe-2.13/debian/patches/00list
+++ nagios-nrpe-2.13/debian/patches/00list
@@ -7,0 +8 @@
+08_CVE-2013-1362.dpatch
only in patch2:
unchanged:
--- nagios-nrpe-2.13.orig/debian/patches/08_CVE-2013-1362.dpatch
+++ nagios-nrpe-2.13/debian/patches/08_CVE-2013-1362.dpatch
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 08_CVE-2013-1362.dpatch by Salvatore Bonaccorso <carnil at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: nagios-nrpe prior to 2.14 allows the passing of $() as command
+## DP: arguments to execute shell commands if command arguments are
+## DP: explicitly enabled. Filtering out nasty caracters is not 
+## DP: strict enough to disallow $(), allowing executing shell commands
+## DP: under a subprocess and pass the output as a parameter to the
+## DP: called script (if run under bash).
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' nagios-nrpe~/src/nrpe.c nagios-nrpe/src/nrpe.c
+--- nagios-nrpe~/src/nrpe.c	2013-03-03 23:13:22.000000000 +0100
++++ nagios-nrpe/src/nrpe.c	2013-03-03 23:15:51.621025795 +0100
+@@ -1749,6 +1749,10 @@
+ 				syslog(LOG_ERR,"Error: Request contained an empty command argument");
+ 				return ERROR;
+ 		                }
++			if(strstr(macro_argv[x],"$(")) {
++				syslog(LOG_ERR,"Error: Request contained a bash command substitution!");
++				return ERROR;
++			        }
+ 		        }
+ 	        }
+ #endif
