Vigil@nce - Nagios Plugins: information disclosure via check_dhcp
July 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use check_dhcp of Nagios Plugins, to read a file
with INI format, in order to obtain sensitive information.
Impacted products: Nagios Open Source
Severity: 2/4
Creation date: 30/06/2014
DESCRIPTION OF THE VULNERABILITY
The check_dhcp script of Nagios Plugins checks the availability of
DHCP servers. This script is installed suid root:
The "—extra-opts" option is used to read a file in format INI :
[section]
var=val
The check_dhcp reads these files with root privileges. In order to
protect against VIGILANCE-VUL-14761 (https://vigilance.fr/tree/1/14761?w=66901),
the script checks if the user is allowed to read the file.
However, a local attacker can create a symbolic link during the
check, and then point to the file before its opening.
An attacker can therefore use check_dhcp of Nagios Plugins, to
read a file with INI format, in order to obtain sensitive
information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Nagios-Plugins-information-disclosure-via-check-dhcp-14952