Addressing security vulnerabilities

[Eric Stanley]

On 11/29/12 4:43 AM, Andreas Ericsson wrote:
> On 11/28/2012 03:46 PM, Rudolph Pereira wrote:
>> Yes, I have tested this - we were able to compromise a host at a
>> client using this.
>>
>> I think use of execve() would be fine, though wasn't sure if you loss
>> of variable expansion would be acceptable.
>>
> Shell variables have never been officially supported in NRPE, so it's
> not a huge issue. I'm not the NRPE maintainer, but I imagine that a
> patch of some sort that resolves a potential remote-shell exploit would
> be welcome. Once you have it and have contacted Eric Stanley and gotten
> some sort of response out of him, a CVE id should be procured. I can do
> that if you're unfamiliar with the process (which is really simple).
>
> If so, send me the info you've got in as brief as possible format with
> an extended explanation and description of how to exploit it and I'll
> make sure it gets posted to the right places.
>
> Thanks.
>
I have just submitted a patch for this issue. Bash command substitution 
can still
enabled, but it must be done with both a configure-time option and and 
configuration
file option, similar to enabling command arguments.

Please grab a copy of the current code and test it. If it looks good, we 
should create a
new release, since it's been a while and there are a few other changes 
that have been
committed.

Thanks,

Eric

-- 
Eric Stanley
___
Developer
Nagios Enterprises, LLC
Email:  estanley at nagios.com
Web:    www.nagios.com


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d