[Cacti <= 0.8.6i] Remote Injection Exploit

Post by **rony** » Thu Dec 28, 2006 4:41 pm

Jimmy,

Test it then commit to SVN.

I will talk to Ian about releasing a patch.

Damon · Post by **Damon** » Thu Dec 28, 2006 10:08 pm

For anyone using apache with mod_rewrite enabled, you could just add the following to an .htaccess file in the Cacti folder:

Code: Select all

RewriteEngine On
RewriteRule ^cmd\.php$ http://www.site.com/cacti/index.php [R]

Should solve the problem, just redirects accesses to cmd.php to the index.php file.

cigamit · Post by **cigamit** » Fri Dec 29, 2006 2:00 am

Tested and working perfectly for the last 6 hours on my 2 test boxes and my remote production box. I now can not exploit it using the script provided or any other way I can find.

Committed to SVN.

rgod · Post by **rgod** » Sat Dec 30, 2006 5:30 pm

copy_cacti_user.php is also vulnerable...

http://retrogod.altervista.org/cacti_086i_adm.html

and through script_server.php is possible to start an unlimited number of php processes to a have a D.o.S.

cigamit · Post by **cigamit** » Sat Dec 30, 2006 5:34 pm

rgod wrote:copy_cacti_user.php is also vulnerable...

http://retrogod.altervista.org/cacti_086i_adm.html

Yep, and a few other files too under certain conditions. I'm working on getting them patched right now.

Post by **TheWitness** » Sun Dec 31, 2006 10:31 am

Jimmy etal,

I have made several modification to SVN last night. I used the script check noted on page one. I had to modify the sanitize function in that it does not return the modified numeric value. Therefore, it will now just die.

cmd.php did not work with the original fix. Of course, if you are running cactid, you would never know that.

The files I modified with the new script check were as follows:

cmd.php
copy_cacti_user.php
poller.php
poller_commands.php
poller_export.php
poller_reindex_hosts.php
rebuild_poller_cache.php
script_server.php

TheWitness

Post by **rony** » Sun Dec 31, 2006 1:34 pm

How does the modified sanitize function affect web interface?

Post by **TheWitness** » Sun Dec 31, 2006 1:37 pm

I have not modified the sanitize function. However, the script was resetting the argv values to null values due to the fact that it only kills the script execution and does not return anything.

What happened was that because of this, the starting and ending hosts for the cmd.php execution would be set to null causing cmd.php's query to fail.

By simply calling sanitize, setting those values to null no longer takes place.

TheWitness

Post by **rony** » Sun Dec 31, 2006 2:33 pm

Ah...

neurotox · Post by **neurotox** » Sun Dec 31, 2006 3:23 pm

In SVN the bug is suppose to be resolve... Any patch is planning soon?

Post by **TheWitness** » Sun Dec 31, 2006 4:56 pm

We will have a CC on Monday to discuss.

TheWitness

Post by **rony** » Mon Jan 01, 2007 12:26 am

Translation...

We are having a conference call concerning this issue on Monday, January 1st 2007.

stevewest15 · Post by **stevewest15** » Tue Jan 02, 2007 11:46 am

Great work everyone! Can't wait to hear what came out of the conference call...

Keep up the great work...

thx,

SW

keyboardgnome · Post by **keyboardgnome** » Wed Jan 03, 2007 4:39 pm

Status update?

Post by **rony** » Wed Jan 03, 2007 4:58 pm

Patch will be released this week.

[Cacti <= 0.8.6i] Remote Injection Exploit

Who is online