For a while my mom was using Living Cookbook, a .NET-based desktop solution for managing recipes. It’s decent software, fairly stable and feature-filled, but its commercial closed source nature means locked-in users- and no alternative for when you lose your license as a result of a hardware failure (or human error). So when mom called in a mild panic over losing Grandma’s lasagna recipe, I knew I had to take a gander.
A new post to the Full Disclosure mailing list today detailed a remote code exploit vulnerability within all available versions of the Nagios Remote Plugin Executor (NRPE), and provided a PoC that included gaining a reverse shell on the target server. Note that this reported exploit relies on a separate (but similar) vulnerability report in CVE-2013-1362. In today’s post, Dawid Golunski properly identifies a weakness within the NRPE argument sanitation that could allow a client to execute arbitrary commands on the remote host within the context of the NRPE user. At first this seems like a pretty serious vulnerability, but further analysis shows that successful exploitation hinges on a series of bad practices not related to NRPE code itself.
Are brewing. And not breaking. All good things.
Too lazy to write anything else. You know what to do.