[Nagiosplug-devel] Re: Major Secuirty Hole in Netsaint/Nagios.

Ethan Galstad nagios at nagios.org
Thu Jun 27 22:05:02 CEST 2002

Tyler -

Thanks for the note.  I'm forwarding this to the nagios-devel and 
nagiosplug-devel lists, as I think this should be discussed there 
with others before making changes.

As far as patches are concerned, I won't be able to make any until at 
least next week.  My cable provider just did an "upgrade" which now 
puts me 18 hops away from the DHCP server - this caused the ISC DHCP 
client on my LRP box to croak (TTL is hardcoded to16 in the 
DHCPDISCOVER packet), so I've been fighting with trying to recompile 
a hacked version of the client that will actually run properly on my 
firewall.  To top that off, I just discovered that the power supply 
in my development box died sometime in the past few days and my case 
is a nice toasty 110 degrees....  So I have to wait until it cools 
down before trying to build a new box tomorrow or this weekend.  I 
love the timing of problems... :-)


Anyway, on to the issue at hand.  I had been thinking about stripping 
all single and double quotes out of the plugin output, so this might 
was well be the time to do it all.  This of course will break any 
plugin that returns a hyperlink in the output.

I would like to keep the following characters, available for output, 
as they are more benign without the help of others, especially is 
quoted properly in notification commands, etc:


It was not mentioned, but % is also a potentially nasty character, 
but I still think it should stay (e.g. for packet loss percentages in 
check_ping, check_disk, etc).  It all comes down to a tradeoff 
between security and flexibility.  I believe that the five characters 
I mention should be okay, as long as notification commands, etc. 
contain quotes to prevent the shell from interpreting them.  That's 
more of a user education issue than anything else.  

BTW, although the message only mentioned stripping these chars from 
plugin output (and acknowledgements), I should probably also strip 
these from names of hosts, services, etc.  Anyone see a good reason 
not to strip these characters?

On 27 Jun 2002 at 17:31, Tyler Lund wrote:

> Hello,
> I have found what I think to be a major security flaw in the current
> stable 0.0.7 release of Netsaint. From what I can tell, this flaw
> also exists in the current 1.0 beta 3 release of Nagios. 
> Basically the macro_output string does not get checked for shell
> interpreted characters prior to being executed by popen() in my_sysem().
> This was discovered when attempting to insert an apostrophie character
> into an ack command and noting that the character was interpreted by
> the shell. Further investigation revealed that ANY special shell
> character will be interpreted, including a backtick ` character. This
> will allow anyone acking an alarm to execute arbitrary commands on the
> server as the netsaint user. 
> Extapolating, this macro is also used to store output from service
> checks, including strings passed to it from NRPE and other agents.
> Using this method, an attacker would be able to execute commands on the
> central netsaint server by modifying output from a monitored host. It
> would be pretty trivial to gain access to the central server depending
> on the permissions of the user under which netsaint is running.
> Has this issue been addressd before? I've searched mailing lists and
> Changelogs to no avail. I'm sure this can be implimented
> in a cleaner fashion, but I've patched my 0.0.7 source files
> to sterilize macros for shell execution: 
> char *sanitize_shell_string(char *str)
> /* takes string and escapes all metacharacters.  should be used before
>    including string in system() or similar call. */
> {
>   int i,j = 0;
>   char *new = malloc(sizeof(char) * (strlen(str) * 2 + 1));
>   for (i = 0; i < strlen(str); i++) {
>     switch (str[i]) {
>       case '|': case '&': case ';': case '(': case ')': case '<':
>       case '>': case '\'': case '"': case '*': case '?': case '\\':
>       case '[': case ']': case '$': case '!': case '#': case '`':
>       case '{': case '}':
>         new[j] = '\\';
>         j++;
>         break;
>       default:
>         break;
>     }
>     new[j] = str[i];
>     j++;
>   }
>   new[j] = '\0';
>   return new;
> }
> and in process_macros():
> else if(!strcmp(temp_buffer,"OUTPUT")) {
> 	char *clean = sanitize_shell_string(macro_output);
> 	strncat(output_buffer,(macro_output==NULL)?"":clean,buffer_length-strlen(clean)-1);
> }
> ...repeat for other macros,  etc. 
> If I'm way off on this for Nagios please let me know, but I would suggest
> that for at least Netsaint that a patch release be made for this
> extremely dangerous flaw. 
> Thanks!
> -- 
> Tyler Lund - Sr. Network Engineer, Springboard Hosting
> tlund at springboardhosting.com - www.springboardhosting.com
> ***      Thank you for contacting Springboard Support     ***
> ***   support at springboardhosting.com      919-852-0690    ***

Ethan Galstad,
Nagios Developer
Email: nagios at nagios.org
Website: http://www.nagios.org

More information about the Devel mailing list