cbcvebase.
CVE-2013-1362
published 2013-07-09

CVE-2013-1362: Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell…

PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.72%
99.2th percentile
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.

Affected

33 ranges· showing 25
VendorProductVersion rangeFixed in
debiannagios-nrpe< nagios-nrpe 2.13-3 (bookworm)nagios-nrpe 2.13-3 (bookworm)
nagiosremote_plug_in_executor<= 2.13
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor
nagiosremote_plug_in_executor

Detection & IOCsextracted from sources · hover to see the quote

port5666
command$()
commandsetsid nohup $(payload.encoded) &
  • Monitor NRPE traffic on TCP/5666 for arguments containing '$(' and ')' shell metacharacter sequences, which are the exploit payload delivery mechanism.
  • The exploit targets NRPE commands configured to accept arguments (dont_blame_nrpe=1 in nrpe.cfg). Audit nrpe.cfg for this setting as a prerequisite indicator of exploitability.
  • The Metasploit module uses Anonymous-Diffie-Hellman (ADH) SSL cipher to communicate with NRPE. Detect ADH cipher negotiation on TCP/5666 as a strong indicator of exploit activity.
  • The exploit encodes the stage payload in Base64 and uses GNU sed for decoding, then executes via $() substitution. Look for NRPE query packets containing base64-encoded strings passed as command arguments.
  • NRPE query packets have a fixed 1024-byte command buffer. Inspect the packet structure (version=2, type=1) on TCP/5666 for $() metacharacters embedded in the command/argument field.
  • The exploit targets specific NRPE plugin commands: check_procs, check_users, check_load, check_disk. Alert on NRPE queries to these commands containing shell metacharacters.
  • Processes spawned by NRPE with 'setsid nohup' pattern indicate successful exploitation; monitor for child processes of the nagios/nrpe user matching this pattern.
  • ·Exploitation requires the NRPE configuration option 'dont_blame_nrpe' to be enabled (set to 1) in nrpe.cfg, which allows remote command-line arguments. Default installations with this option disabled are not exploitable.
  • ·The vulnerability is only triggered when plugin scripts are executed under bash, as $() is a bash-specific command substitution feature. Scripts run under other shells may not be affected.
  • ·The blacklist in nrpc.c filters characters including |, `, &, >, ), but omits $(), making the blacklist incomplete. The Metasploit module explicitly notes NRPE will reject queries containing those filtered characters.
  • ·Commands exploitable via this vulnerability are limited to those configured in nrpe.cfg to accept arguments. The Metasploit module defaults to check_procs but also supports check_users, check_load, and check_disk.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.