Cacti <= 0.8.6i cmd.php popen() Remote Injection Exploit
HEADS UP!
See http://www.milw0rm.com/exploits/3029 for the actual exploit...
Or am I stepping out of line here?
[Cacti <= 0.8.6i] Remote Injection Exploit
Moderators: Developers, Moderators
[Cacti <= 0.8.6i] Remote Injection Exploit
This is my sick nature...
-
rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
You only have to worry if you have "register_globals" enabled in php.
If you are worried about this issue, and you should be, if your Cacti installation is exposed to the internet, I would suggest that you limit access to Cacti and make sure that "register_globals" is off.
If you are worried about this issue, and you should be, if your Cacti installation is exposed to the internet, I would suggest that you limit access to Cacti and make sure that "register_globals" is off.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
It appears that register_globals is off by default in CactiEZ v1.0 and the beta.
Locking down access to your monitoring servers is good practice as well.
Locking down access to your monitoring servers is good practice as well.
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
-
rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Issue reported into the bug datatbase.
Link for those who would like to track.
http://bugs.cacti.net/view.php?id=883
Link for those who would like to track.
http://bugs.cacti.net/view.php?id=883
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Even with register globals off, I seem to be able to exploit it.
I can stop it from proceeding if I changeto this
This works great on Apache, but I am unsure of how it will work on IIS (I don't have an IIS server to test on).
I can stop it from proceeding if I change
Code: Select all
/* do NOT run this script through a web browser */
if (!isset($_SERVER["argv"][0])) {
die("<br><strong>This script is only meant to run at the command line.</strong>");
}Code: Select all
/* do NOT run this script through a web browser */
if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD']) || isset($_SERVER['REMOTE_ADDR'])) {
die("<br><strong>This script is only meant to run at the command line.</strong>");
}-
rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
You can get past the die, yes, but can you inject the command into the table?
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
the exploit condition is register_argc_argv = on, not register_globals = on, like you wrote in mantis.
Request method check works fine
ah, I see the wrong check in various scripts, so... other attack maybe possible, so if you have that directive on, grep for that.
This .htaccess line should work temporarily, it worked for me:
php_value register_argc_argv off
Request method check works fine
ah, I see the wrong check in various scripts, so... other attack maybe possible, so if you have that directive on, grep for that.
This .htaccess line should work temporarily, it worked for me:
php_value register_argc_argv off
Actual description of issue **not exploit code**
Cacti "cmd.php" Command Execution and SQL Injection Advisory Available in Danish Advisory Available in German
Secunia Advisory: SA23528
Release Date: 2006-12-28
Critical:
Highly critical
Impact: Security Bypass
Manipulation of data
System access
Where: From remote
Solution Status: Unpatched
Software: Cacti 0.x
Description:
rgod has discovered three vulnerabilities in Cacti, which can be exploited by malicious people to bypass certain security restrictions, manipulate data and compromise vulnerable systems.
1) The cmd.php script does not properly restrict access to command line usage and is installed in a web-accessible location.
Successful exploitation requires that "register_argc_argv" is enabled.
2) Input passed in the URL to cmd.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation requires that "register_argc_argv" is enabled.
3) The results from the SQL queries in 2) in cmd.php are not properly sanitised before being used as shell commands. This can be exploited to inject arbitrary shell commands.
The vulnerabilities are confirmed in version 0.8.6i. Other versions may also be affected.
Solution:
Move the "cmd.php" script to a not web-accessible path, and update other scripts accordingly.
Edit the source code to ensure that input is properly sanitised.
Provided and/or discovered by:
rgod
Secunia Advisory: SA23528
Release Date: 2006-12-28
Critical:
Highly critical
Impact: Security Bypass
Manipulation of data
System access
Where: From remote
Solution Status: Unpatched
Software: Cacti 0.x
Description:
rgod has discovered three vulnerabilities in Cacti, which can be exploited by malicious people to bypass certain security restrictions, manipulate data and compromise vulnerable systems.
1) The cmd.php script does not properly restrict access to command line usage and is installed in a web-accessible location.
Successful exploitation requires that "register_argc_argv" is enabled.
2) Input passed in the URL to cmd.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation requires that "register_argc_argv" is enabled.
3) The results from the SQL queries in 2) in cmd.php are not properly sanitised before being used as shell commands. This can be exploited to inject arbitrary shell commands.
The vulnerabilities are confirmed in version 0.8.6i. Other versions may also be affected.
Solution:
Move the "cmd.php" script to a not web-accessible path, and update other scripts accordingly.
Edit the source code to ensure that input is properly sanitised.
Provided and/or discovered by:
rgod
-
rony
- Developer/Forum Admin
- Posts: 6022
- Joined: Mon Nov 17, 2003 6:35 pm
- Location: Michigan, USA
- Contact:
Sorry home sick today. Guess I didn't review the exploit that well.
Bug updated.
Bug updated.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
Well, the effective way to stop the exploit is to properly check the passed arguments before inserting. They should be numbers, so lets just check them and exit if they aren't what we want.
Find this block of code
and add this code directly afterwards.
Find this block of code
Code: Select all
}else{
$print_data_to_stdout = false;
if ($_SERVER["argc"] == "3") {
if ($_SERVER["argv"][1] <= $_SERVER["argv"][2]) {Code: Select all
$_SERVER["argv"][1] = input_validate_input_number($_SERVER["argv"][1]);
$_SERVER["argv"][2] = input_validate_input_number($_SERVER["argv"][2]);
Who is online
Users browsing this forum: No registered users and 2 guests