NRPE patch for metachars

Jason Martin jhmartin at toger.us
Tue Aug 3 18:13:42 CEST 2004


I was the one who made the complaint; the problem is that
allowing metacharacters leaves one wide open for attack.
Allowing metacharacters without requiring ssl / tcp wrappers
just makes it too easy for someone to misuse NRPE and I'd hate
for NRPE to get on the 'bad' list in the IT Security world.  I
solved it by base64 encoding the regular expression (using a
very simple perl script in the check command definition so the
expression was cleartext in the nagios config) prior to
sending it and modifying the plugin to handle decoding it.

-Jason Martin


On Tue, Aug 03, 2004 at 11:35:05AM -0400, Stephen Carpenter wrote:
> I noticed a bit ago someone else had the same problem I did: trying
> to pass a perl regular expression to a check failed due to a rather
> paranoid restriction in NRPE.
> 
> I submitted a patch to nagios at nagios.org a while ago but heard
> nothing, so I figure maybe sending it to this list will help someone.
> I have added a new config option:
> 
> allow_metachars=1
> 
> This and command line arguments has vastly simplified my life.
> 
> === Allow Metachars Patch ===
> here is the patch:
> RCS file: /usr/local/cvsroot/build/nrpe2/src/src/nrpe.c,v
> retrieving revision 1.1
> retrieving revision 1.2
> diff -u -r1.1 -r1.2
> --- nrpe.c      29 Dec 2003 17:30:05 -0000      1.1
> +++ nrpe.c      24 Jun 2004 15:28:29 -0000      1.2
> @@ -67,6 +67,7 @@
>  char    *nrpe_group=NULL;
>  
>  int     allow_arguments=FALSE;
> +int     allow_metachars=FALSE;
>  
>  int     show_help=FALSE;
>  int     show_license=FALSE;
> @@ -381,6 +382,9 @@
>                 else if(!strcmp(varname,"dont_blame_nrpe"))
>                         allow_arguments=(atoi(varvalue)==1)?TRUE:FALSE;
>  
> +               else if(!strcmp(varname,"allow_metachars"))
> +                       allow_metachars=(atoi(varvalue)==1)?TRUE:FALSE;
> +
>                 else if(!strcmp(varname,"command_timeout")){
>                         command_timeout=atoi(varvalue);
>                         if(command_timeout<1){
> @@ -1295,7 +1299,7 @@
>                 }
>  
>         /* make sure request doesn't contain nasties */
> -       if(contains_nasty_metachars(pkt->buffer)==TRUE){
> +       if(! allow_metachars &&
> contains_nasty_metachars(pkt->buffer)==TRUE){
>                 syslog(LOG_ERR,"Error: Request contained illegal
> metachars!");
>                 return ERROR;
>                 }
> === END ===
> 

-- 
This isn't hell, but I can see it from here.
This message is PGP/MIME signed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 211 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/users/attachments/20040803/8ba695cf/attachment.sig>


More information about the Users mailing list