usd-2020-0003 | Nagios NRPE v.3.2.1


Advisory ID: usd-2020-0003
Affected Product: Nagios NRPE
Affected Version: v.3.2.1
Vulnerability Type: Wrong Packet Size Computation
Security Risk: Low
Vendor URL: https://www.nagios.org/
Vendor Status: Fixed in v4.0.0 (not verified)

Proof of Concept (PoC)

NRPE currently allows two different packet versions that can be used to communicate with the NRPE server: v2 and v3. The v3 packet structure is defined like this:

typedef struct _v3_packet {
int16_t packet_version;
int16_t packet_type;
u_int32_t crc32_value;
int16_t result_code;
int16_t alignment;
int32_t buffer_length;
char buffer[1];
} v3_packet;

The member buffer is only a placeholder that gets replaced by the actual packet contents during processing. Therefore, only a length of
1 byte is assigned to it, since it has not to carry any meaningful data. The NRPE source code calculates the length of a v3 packet like this:

int32_t pkt_size = sizeof(v3_packet) - 1 + buffer_length;

As one can see, the previously used length of the placeholder buffer is substracted from the size of the structure, since it will be replaced
by the real payload. However, the code does not respect the padding length that is applied by the compiler. Structures that do not end on a boundary
of 4 bytes are usually padded to match that requirement. Therefore, the size of the buffer member will actually be 4, not 1. One can easily confirm this
by using the following C code:

#include
#include

typedef struct _v3_packet {
int16_t packet_version;
int16_t packet_type;
u_int32_t crc32_value;
int16_t result_code;
int16_t alignment;
int32_t buffer_length;
char buffer[1];
} v3_packet;

int main() {
v3_packet test;
printf("%d\n", sizeof(test));
}

The output will be 20, since the structure contains the following lengths:
typedef struct _v3_packet {
int16_t packet_version; // 2
int16_t packet_type; // 2
u_int32_t crc32_value; // 4
int16_t result_code; // 2
int16_t alignment; // 2
int32_t buffer_length; // 4
char buffer[1]; // 4
} v3_packet;
One can also observe this wrong calculation of the packet size when communicating with the NRPE server. Messages transmitted over the network often contain three additional null bytes, since the buffer size is three bytes longer than the actual packet. Hexdump of a NRPE server response:
00000000 00 03 00 02 34 22 6d cc 00 00 00 00 00 00 00 10 ....4"m. ........
00000010 5b 2b 5d 20 50 4f 43 20 66 69 6e 69 73 68 65 64 [+] POC finished
00000020 00 00 00

Our short research did not identify a vulnerability resulting from this incorrect length calculation. However, such bugs often
lead to security relevant issues and should be fixed.

Fix

Respect structure padding during packet length calculations.

Timeline

Credits

This security vulnerability was discovered by Tobias Neitzel of usd AG.