Vigil@nce - Nagios: shell command execution via NRPE
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can request Nagios NRPE to execute a plugin with a
special name, in order to execute a shell command on the server.
Impacted products: Nagios Open Source
Severity: 2/4
Creation date: 25/02/2013
DESCRIPTION OF THE VULNERABILITY
The Nagios NRPE (Nagios Remote Plugin Executor) service executes
plugins remotely.
The Bash shell interpreter supports the "$(command)" sequence to
execute a command.
The src/nrpe.c file filters special characters, before executing a
shell command. However, the sequence "$()" is not forbidden.
An attacker can therefore request Nagios NRPE to execute a plugin
with a special name, in order to execute a shell command on the
server.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Nagios-shell-command-execution-via-NRPE-12460