nagios niubility 漏洞

  • 时间:
  • 浏览:0

All

< 2.14

Upgrade to NRPE 2.14 or later, available at http://sourceforge.net/projects/nagios/files/nrpe-2.x/

When NRPE is compiled with --enable-command-args (the default for mostLinux distributions), the above code allows the passing of $() to plugins/scripts which, if run under bash, will execute thatshell command under a subprocess and pass the output as a parameter tothe called script. Using this, it is possible to get called scripts,such as check_http, to execute arbitrary commands under the uid thatNRPE/nagios is running as (typically, 'nagios').

nrpe 2.13 has, in src/nrpc.c, line 52:

Nagios

No

Vendor released a patch (See Solution)

Yes

7.5

AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:UC/CDP:N/TD:N/CR:L/IR:L/AR:L

NRPE (Configured with --enable-command-args).

#define NASTY_METACHARS         "|`&><'\"\\[]{};"