Adaptive Monitoring: Broken?

Andreas Ericsson ae at op5.se
Thu Apr 9 00:34:21 CEST 2009


Marc Powell wrote:
> On Apr 7, 2009, at 1:26 PM, Patrick Morris wrote:
> 
>> Here are the important stats:
>>
>> Nagios Version: Version 3.1.0
>> Proficiency Level: Pretty damned high
> 
>> While the first command works fine, and sets the service to an OK  
>> state,
>> the next two (which I've tried in various combinations) show up in the
>> Nagios logs as having been sent, but do nothing. The check that  
>> appears
>> in the config files keeps running instead of my check_ok check.
>>
>> Here's how it shows up in the logs:
>>
>> [1239128528] EXTERNAL COMMAND: CHANGE_SVC_EVENT_HANDLER;dummy- 
>> host;DNS;check_ok
>> [1239128528] EXTERNAL COMMAND: CHANGE_SVC_CHECK_COMMAND;dummy- 
>> host;DNS;check_ok
>>
>> I've noticed the message is different if I use an invalid command, so
>> I'm relatively sure I'm using the right ones; they just don't do
>> anything.
>>
>> Event handlers are enabled for these services, but even if they  
>> weren't
>> the check command should change, right?
>>
>> Am I doing something wrong here, or have I run into a bug?
> 
> I'm not using 3.x yet but just to provide some feedback, what you're  
> doing looks reasonable from my reading of the documentation. I do see  
> this in 3.1.0's commands.c though --
> 
>          /* SECURITY PATCH - disable these for the time being */
>          switch(cmd){
>          case CMD_CHANGE_GLOBAL_HOST_EVENT_HANDLER:
>          case CMD_CHANGE_GLOBAL_SVC_EVENT_HANDLER:
>          case CMD_CHANGE_HOST_EVENT_HANDLER:
>          case CMD_CHANGE_SVC_EVENT_HANDLER:
>          case CMD_CHANGE_HOST_CHECK_COMMAND:
>          case CMD_CHANGE_SVC_CHECK_COMMAND:
>                  return ERROR;
>                  }
> 
> That's in the right section and my reading of the code is that it does  
> exactly that; prevent changing of those values... Maybe it's something  
> being worked on in the development branch?
> 

It's not. That snippet comes from Nov 30 2008 as a measure to prevent
CVE-2008-5027 (cmd.cgi authorization bypass vulnerability) and
CVE-2008-5028 (cross-site request forgery) from becoming remote command
execution vulnerabilities.

Ethan added that snippet as an extra security measure. It's been in
Nagios since 3.0.4.

Assuming both the patches I sent are applied, it's safe to remove that
particular snippet and recompile Nagios.


I wrote about the two vulnerabilities here in case anyone needs to
refresh their memory:
http://blogs.op5.org/blog4.php/2008/11/11/nagios-cmd-cgi-authorization-bypass-vuln
http://blogs.op5.org/blog4.php/2008/11/11/cross-site-request-forgery-vulnerability-6

The patches to prevent them are available here:
http://git.op5.org/git/?p=nagios.git;a=shortlog;h=refs/heads/security

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list