CVE-2013-1362
published 2013-07-09CVE-2013-1362: Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell…
PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.72%
99.2th percentile
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nagios-nrpe | < nagios-nrpe 2.13-3 (bookworm) | nagios-nrpe 2.13-3 (bookworm) |
| nagios | remote_plug_in_executor | <= 2.13 | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
| nagios | remote_plug_in_executor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor NRPE traffic on TCP/5666 for arguments containing '$(' and ')' shell metacharacter sequences, which are the exploit payload delivery mechanism. ↗
- →The exploit targets NRPE commands configured to accept arguments (dont_blame_nrpe=1 in nrpe.cfg). Audit nrpe.cfg for this setting as a prerequisite indicator of exploitability. ↗
- →The Metasploit module uses Anonymous-Diffie-Hellman (ADH) SSL cipher to communicate with NRPE. Detect ADH cipher negotiation on TCP/5666 as a strong indicator of exploit activity. ↗
- →The exploit encodes the stage payload in Base64 and uses GNU sed for decoding, then executes via $() substitution. Look for NRPE query packets containing base64-encoded strings passed as command arguments. ↗
- →NRPE query packets have a fixed 1024-byte command buffer. Inspect the packet structure (version=2, type=1) on TCP/5666 for $() metacharacters embedded in the command/argument field. ↗
- →The exploit targets specific NRPE plugin commands: check_procs, check_users, check_load, check_disk. Alert on NRPE queries to these commands containing shell metacharacters. ↗
- →Processes spawned by NRPE with 'setsid nohup' pattern indicate successful exploitation; monitor for child processes of the nagios/nrpe user matching this pattern. ↗
- ·Exploitation requires the NRPE configuration option 'dont_blame_nrpe' to be enabled (set to 1) in nrpe.cfg, which allows remote command-line arguments. Default installations with this option disabled are not exploitable. ↗
- ·The vulnerability is only triggered when plugin scripts are executed under bash, as $() is a bash-specific command substitution feature. Scripts run under other shells may not be affected. ↗
- ·The blacklist in nrpc.c filters characters including |, `, &, >, ), but omits $(), making the blacklist incomplete. The Metasploit module explicitly notes NRPE will reject queries containing those filtered characters. ↗
- ·Commands exploitable via this vulnerability are limited to those configured in nrpe.cfg to accept arguments. The Metasploit module defaults to check_procs but also supports check_users, check_load, and check_disk. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cp28-pf73-xw7v: Incomplete blacklist vulnerability in nrpc
ghsa_unreviewed·2022-05-14
CVE-2013-1362 [HIGH] CWE-20 GHSA-cp28-pf73-xw7v: Incomplete blacklist vulnerability in nrpc
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
OSV
CVE-2013-1362: Incomplete blacklist vulnerability in nrpc
osv·2013-07-09·CVSS 7.5
CVE-2013-1362 [HIGH] CVE-2013-1362: Incomplete blacklist vulnerability in nrpc
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
Red Hat
NRPE: nagios metacharacter filtering omission
vendor_redhat·2013-02-21·CVSS 7.5
CVE-2013-1362 [HIGH] CWE-78 NRPE: nagios metacharacter filtering omission
NRPE: nagios metacharacter filtering omission
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
Package: nrpe (Red Hat OpenStack Platform 3) - Affected
Package: nrpe (Red Hat OpenStack Platform 4) - Affected
Debian
CVE-2013-1362: nagios-nrpe - Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (...
vendor_debian·2013·CVSS 7.5
CVE-2013-1362 [HIGH] CVE-2013-1362: nagios-nrpe - Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (...
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
Scope: local
bookworm: resolved (fixed in 2.13-3)
bullseye: resolved (fixed in 2.13-3)
forky: resolved (fixed in 2.13-3)
sid: resolved (fixed in 2.13-3)
trixie: resolved (fixed in 2.13-3)
No detection rules found.
Exploit-DB
Nagios Remote Plugin Executor - Arbitrary Command Execution (Metasploit)
exploitdb·2013-04-12
CVE-2013-1362 Nagios Remote Plugin Executor - Arbitrary Command Execution (Metasploit)
Nagios Remote Plugin Executor - Arbitrary Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
#
require 'msf/core'
require 'zlib'
class Metasploit3 'Nagios Remote Plugin Executor Arbitrary Command Execution',
'Description' => %q{
The Nagios Remote Plugin Executor (NRPE) is installed to allow a central
Nagios server to actively poll information from the hosts it monitors. NRPE
has a configuration option dont_blame_nrpe which enables command-line arguments
to be provided remote plugins. When this option is enabled, even when NRPE makes
an effort to sanitize arguments to pr
Metasploit
Nagios Remote Plugin Executor Arbitrary Command Execution
metasploit
Nagios Remote Plugin Executor Arbitrary Command Execution
Nagios Remote Plugin Executor Arbitrary Command Execution
The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.
Bugzilla
CVE-2013-1362 Nagios NRPE: nagios metacharacter filtering omission [epel-all]
bugzilla·2013-03-01·CVSS 7.5
CVE-2013-1362 [HIGH] CVE-2013-1362 Nagios NRPE: nagios metacharacter filtering omission [epel-all]
CVE-2013-1362 Nagios NRPE: nagios metacharacter filtering omission [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issu
Bugzilla
CVE-2013-1362 Nagios NRPE: nagios metacharacter filtering omission
bugzilla·2013-03-01·CVSS 7.5
CVE-2013-1362 [HIGH] CVE-2013-1362 Nagios NRPE: nagios metacharacter filtering omission
CVE-2013-1362 Nagios NRPE: nagios metacharacter filtering omission
Rudolph Pereira ([email protected]) reports:
Summary:
CVE-ID: CVE-2013-1362
CVSS: Base Score 7.5
CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:UC/CDP:N/TD:N/CR:L/IR:L/AR:L
Vendor: Nagios
Affected Products: NRPE
Affected Platforms: All
Affected versions: <'\"\\[]{};"
This allows the passing of $() to plugins/scripts which, if run under
bash, will execute that shell command under a subprocess and pass the
output as a parameter to the called script. Using this, it is possible
to get called scripts, such as check_http, to execute arbitrary
commands under the uid that NRPE/nagios is running as (typically,
'nagios').
Solution
Upgrade to NRPE 2.14 or later, available at
http://sourceforge.net/projects/nagios
Bugzilla
CVE-2013-1362 Nagios NRPE: nagios metacharacter filtering omission [fedora-all]
bugzilla·2013-03-01·CVSS 7.5
CVE-2013-1362 [HIGH] CVE-2013-1362 Nagios NRPE: nagios metacharacter filtering omission [fedora-all]
CVE-2013-1362 Nagios NRPE: nagios metacharacter filtering omission [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue a
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-04/msg00006.htmlhttp://seclists.org/bugtraq/2013/Feb/119http://www.exploit-db.com/exploits/24955http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerabilityhttps://bugzilla.novell.com/show_bug.cgi?id=807241http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-04/msg00006.htmlhttp://seclists.org/bugtraq/2013/Feb/119http://www.exploit-db.com/exploits/24955http://www.occamsec.com/vulnerabilities.html#nagios_metacharacter_vulnerabilityhttps://bugzilla.novell.com/show_bug.cgi?id=807241
2013-07-09
Published