CVE-2013-1362 - log back

CVE-2013-1362 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary command execution
Description
+ Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
References
+ http://seclists.org/bugtraq/2013/Feb/119
+ https://github.com/NagiosEnterprises/nrpe/commit/eaaebb3c2925f9aee74319b61264ee535784b859
Notes
+ This issue can only occur when nrpc is compiled with --enable-command-args and the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments.
+
+ Test Exploit:
+ # ./check_nrpe -n -H 127.0.0.1 -c check_disk -a "-c $(touch /tmp/VULNERABLE)"