usd-2020-0003 | Nagios NRPE v.3.2.1

Advisory ID: usd-2020-0003
Affected Product: Nagios NRPE
Affected Version: v.3.2.1
Vulnerability Type: Wrong Packet Size Computation
Security Risk: Low
Vendor URL: https://www.nagios.org/
Vendor Status: Fixed in v4.0.0 (not verified)

Proof of Concept (PoC)

NRPE currently allows two different packet versions that can be used to communicate with the NRPE server: v2 and v3. The v3 packet structure is defined like this:

    typedef struct _v3_packet {
int16_t                              packet_version;
int16_t                              packet_type;
u_int32_t                            crc32_value;
int16_t                              result_code;
int16_t                              alignment;
int32_t                              buffer_length;
char                                 buffer[1];
} v3_packet;

The member buffer is only a placeholder that gets replaced by the actual packet contents during processing. Therefore, only a length of
1 byte is assigned to it, since it has not to carry any meaningful data. The NRPE source code calculates the length of a v3 packet like this:

    int32_t   pkt_size = sizeof(v3_packet) - 1 + buffer_length;

As one can see, the previously used length of the placeholder buffer is substracted from the size of the structure, since it will be replaced
by the real payload. However, the code does not respect the padding length that is applied by the compiler. Structures that do not end on a boundary
of 4 bytes are usually padded to match that requirement. Therefore, the size of the buffer member will actually be 4, not 1. One can easily confirm this
by using the following C code:

    #include
#include

typedef struct _v3_packet {
int16_t     packet_version;
int16_t     packet_type;
u_int32_t   crc32_value;
int16_t     result_code;
int16_t     alignment;
int32_t     buffer_length;
char        buffer[1];
} v3_packet;

int main() {
v3_packet test;
printf("%d\n", sizeof(test));
}

The output will be 20, since the structure contains the following lengths:

    typedef struct _v3_packet {
int16_t     packet_version;         // 2
int16_t     packet_type;            // 2
u_int32_t   crc32_value;            // 4
int16_t     result_code;            // 2
int16_t     alignment;              // 2
int32_t     buffer_length;          // 4
char        buffer[1];              // 4
} v3_packet;   

One can also observe this wrong calculation of the packet size when communicating with the NRPE server. Messages transmitted over the network often contain three additional null bytes, since the buffer size is three bytes longer than the actual packet. Hexdump of a NRPE server response:

        00000000  00 03 00 02 34 22 6d cc  00 00 00 00 00 00 00 10   ....4"m. ........
00000010  5b 2b 5d 20 50 4f 43 20  66 69 6e 69 73 68 65 64   [+] POC  finished
00000020  00 00 00     

Our short research did not identify a vulnerability resulting from this incorrect length calculation. However, such bugs often
lead to security relevant issues and should be fixed.

Fix

Respect structure padding during packet length calculations.

Timeline

Credits

This security vulnerability was discovered by Tobias Neitzel of usd AG.

ABOUT usd SECURITY ADVISORIES

In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.

Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.

Always for the sake of our mission: „more security.“

to usd AG


In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.

Disclaimer

The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.