{"id":16663,"date":"2021-07-08T11:45:26","date_gmt":"2021-07-08T09:45:26","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0004\/"},"modified":"2021-07-19T14:14:34","modified_gmt":"2021-07-19T12:14:34","slug":"usd-2020-0004","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0004\/","title":{"rendered":"usd-2020-0004"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2020-0004 | Nagios NRPE v.3.2.1<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0004<\/span>
Affected Product<\/strong>: Nagios NRPE<\/span>
Affected Version<\/strong>: v.3.2.1<\/span>
Vulnerability Type<\/strong>: Logic Error<\/span>
Security Risk<\/strong>: None<\/span>
Vendor URL<\/strong>: https:\/\/www.nagios.org\/<\/a><\/span>
Vendor Status<\/strong>: Fixed in v.4.0.0 (not verified)<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

If NRPE is compiled with command line parameter support and if the corresponding option is enabled inside of the NRPE configuration file,
NRPE are allowed to contain additional parameters that are passed as command line parameters to the configured monitoring scripts.<\/p>\n

To check if a packet contains command line parameters, NRPE uses the validate_request<\/strong>\u00a0function. This function contains the following code:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"] if (packet_ver == NRPE_PACKET_VERSION_3) {
\nint32_t l = ntohs(v3pkt-&gt;buffer_length);
\nv3pkt-&gt;buffer[l - 1] = '\\x0';
\nbuff = v3pkt-&gt;buffer;
\n} else {
\nv2pkt-&gt;buffer[MAX_PACKETBUFFER_LENGTH - 1] = '\\x0';
\nbuff = v2pkt-&gt;buffer;
\n}<\/p>\n

[...]<\/p>\n

\/* make sure the request doesn't contain arguments *\/
\nif (strchr(v2pkt-&gt;buffer, '!')) {
\n#ifdef ENABLE_COMMAND_ARGUMENTS
\nif (allow_arguments == FALSE) {
\nlogit(LOG_ERR, \"Error: Request contained command arguments, but argument option is not enabled!\");
\nreturn ERROR;
\n}
\n[...]<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

As on can see, this code should block requests if the ENABLE_COMMAND_ARGUMENTS<\/em> flag was set during compilation, but the allow_arguments<\/strong>
option (dont_blame_nrpe) is not enabled in the configuration file. NRPE packets that contain command line arguments have to contain a !<\/strong>
sign in their buffer and therefore the above mentioned code should trigger and block the request.<\/p>\n

However, as one can see, the code uses the v2pkt->buffer<\/strong> instead of the previously declared generic buff<\/strong>\u00a0variable. Incoming v3 packets
will never trigger the condition strchr(v2pkt->buffer, \u201a!\u2018), and will pass this check even if they contain command line arguments.<\/p>\n

While this sounds like a serious security issue, it has only minimal impact, since the NRPE source code does only parse command line arguments
if the allow_arguments<\/strong>\u00a0(dont_blame_nrpe) option was set:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"] #ifdef ENABLE_COMMAND_ARGUMENTS
\n\/* get command arguments *\/
\nif (allow_arguments == TRUE) {
\n\/\/ Process Command Line Args<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

\n
\n
\n
\n
Therefore, even if a v3 packet passes the first check, its arguments will just be ignored in the proceeding code.
Nonetheless, this is obviously a logical flaw inside the NRPE source code and should be fixed.<\/div>\n
<\/div>\n

<\/h3>\n

<\/span><\/h3>\n

Proof of Concept (PoC) \/ Steps to Reproduce<\/span><\/h3>\n<\/div>\n<\/div>\n

0. NRPE has to be compiled with command line parameter support. Additionally, dont_blame_nrpe option inside the NRPE configuration file has to be enabled.<\/p>\n

1. Send a v2 packet that contains command line arguments (Packet is rejected).<\/p>\n

2. Send a v3 packet that contains command line arguments. (Packet is processed, like a packet without any arguments)<\/p>\n

<\/h3>\n

<\/h3>\n

Fix<\/h3>\n

Checking for <\/span>!<\/strong> signs should be done on the generic buffer <\/span>buff<\/strong>, which applies for v2 and v3 packets.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n