Addressing security vulnerabilities

Rudolph Pereira rudolph.pereira+nagios at occamsec.com
Wed Nov 28 16:32:32 CET 2012


Yes, I have tested this - we were able to compromise a host at a
client using this.

I think use of execve() would be fine, though wasn't sure if the loss
of variable expansion would be acceptable.

On Wed, Nov 28, 2012 at 6:36 AM, Andreas Ericsson <ae at op5.se> wrote:
> On 11/27/2012 05:11 PM, Rudolph Pereira wrote:
>> Hi all,
>>
>> I submitted http://tracker.nagios.org/view.php?id=400 a while ago and
>> have had little to no response on it, even though it is a serious
>> issue.
>>
>> I am looking for suggestions on how to deal with this; given the
>> seriousness of the issue and how many users it affects I believe a
>> security vulnerability notice should go out at the very least. Should
>> I be working with ocert or some other intermediary on this?
>>
>
> Have you tested this exploit? It might be blocked by how NRPE handles
> command line arguments.
>
> One very simple way around it would otherwise be to disallow relative
> paths to commands and use execve() to execute the checks. That way,
> the plugin will get '$(lalafoo)' as an argument rather than the output
> of that command.
>
> --
> Andreas Ericsson                   andreas.ericsson at op5.se
> OP5 AB                             www.op5.se
> Tel: +46 8-230225                  Fax: +46 8-230231
>
> Considering the successes of the wars on alcohol, poverty, drugs and
> terror, I think we should give some serious thought to declaring war
> on peace.

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net




More information about the Developers mailing list