[Cacti <= 0.8.6i] Remote Injection Exploit

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Developers, Moderators

User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Jimmy,

Test it then commit to SVN.

I will talk to Ian about releasing a patch.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Damon
Posts: 14
Joined: Mon Dec 25, 2006 2:06 am

Post by Damon »

For anyone using apache with mod_rewrite enabled, you could just add the following to an .htaccess file in the Cacti folder:

Code: Select all

RewriteEngine On
RewriteRule ^cmd\.php$ http://www.site.com/cacti/index.php [R]
Should solve the problem, just redirects accesses to cmd.php to the index.php file.
cigamit
Developer
Posts: 3367
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

Post by cigamit »

Tested and working perfectly for the last 6 hours on my 2 test boxes and my remote production box. I now can not exploit it using the script provided or any other way I can find.

Committed to SVN.
rgod
Posts: 2
Joined: Thu Dec 28, 2006 4:04 am

Post by rgod »

copy_cacti_user.php is also vulnerable...

http://retrogod.altervista.org/cacti_086i_adm.html

and through script_server.php is possible to start an unlimited number of php processes to a have a D.o.S.
cigamit
Developer
Posts: 3367
Joined: Thu Apr 07, 2005 3:29 pm
Location: B/CS Texas
Contact:

Post by cigamit »

rgod wrote:copy_cacti_user.php is also vulnerable...

http://retrogod.altervista.org/cacti_086i_adm.html
Yep, and a few other files too under certain conditions. I'm working on getting them patched right now.
User avatar
TheWitness
Developer
Posts: 17007
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Post by TheWitness »

Jimmy etal,

I have made several modification to SVN last night. I used the script check noted on page one. I had to modify the sanitize function in that it does not return the modified numeric value. Therefore, it will now just die.

cmd.php did not work with the original fix. Of course, if you are running cactid, you would never know that.

The files I modified with the new script check were as follows:

cmd.php
copy_cacti_user.php
poller.php
poller_commands.php
poller_export.php
poller_reindex_hosts.php
rebuild_poller_cache.php
script_server.php

TheWitness
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

How does the modified sanitize function affect web interface?
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
User avatar
TheWitness
Developer
Posts: 17007
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Post by TheWitness »

I have not modified the sanitize function. However, the script was resetting the argv values to null values due to the fact that it only kills the script execution and does not return anything.

What happened was that because of this, the starting and ending hosts for the cmd.php execution would be set to null causing cmd.php's query to fail.

By simply calling sanitize, setting those values to null no longer takes place.

TheWitness
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Ah... :)
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
neurotox
Cacti User
Posts: 63
Joined: Mon Apr 17, 2006 3:28 pm
Location: Chateauguay, Quebec

Post by neurotox »

In SVN the bug is suppose to be resolve... Any patch is planning soon?
User avatar
TheWitness
Developer
Posts: 17007
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Post by TheWitness »

We will have a CC on Monday to discuss.

TheWitness
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Translation...

We are having a conference call concerning this issue on Monday, January 1st 2007.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
stevewest15
Posts: 9
Joined: Tue Oct 25, 2005 1:09 pm

Post by stevewest15 »

Great work everyone! Can't wait to hear what came out of the conference call...

Keep up the great work...

thx,

SW
keyboardgnome
Posts: 13
Joined: Sat Mar 25, 2006 12:09 am

Post by keyboardgnome »

Status update?
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Patch will be released this week.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests