Cacti (home)ForumsRepositoryDocumentation
Cacti: offical forums and support
It is currently Wed Jul 23, 2014 2:28 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 60 posts ]  Go to page 1, 2, 3, 4  Next
Author Message
 Post subject: [Cacti <= 0.8.6i] Remote Injection Exploit
PostPosted: Wed Dec 27, 2006 7:53 pm 
Offline
User avatar

Joined: Thu Feb 24, 2005 4:29 pm
Posts: 40
Location: Groningen, NL
Cacti <= 0.8.6i cmd.php popen() Remote Injection Exploit

HEADS UP!

See http://www.milw0rm.com/exploits/3029 for the actual exploit...
Or am I stepping out of line here?

_________________
This is my sick nature...


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 28, 2006 2:03 am 
Offline

Joined: Thu Dec 28, 2006 2:02 am
Posts: 1
Sorry for the question, but...
Are there any fixes/patches for this "hot" bug?
Or any temporary solution?

Thanks in advance.

~A


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 28, 2006 3:57 am 
Offline

Joined: Fri Mar 05, 2004 8:34 am
Posts: 37
I second this, any quick fixes / patch ?


edit:

Quick fix: just make cmd.php unreadable by the user that the webserver runs as (nobody/apache/httpd), just make sure it's readable by the user that the poller runs as.

_________________
Jeroen Wunnink
Easyhosting.nl Sysadmin


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 28, 2006 8:08 am 
Offline
Cacti User
User avatar

Joined: Mon Nov 04, 2002 9:15 am
Posts: 110
Location: ACEH
Have you try this exploit? I'm using it on my cacti 0.8.6h but won't work so I'm safe :oops:


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 28, 2006 9:39 am 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5904
Location: Michigan, USA
You only have to worry if you have "register_globals" enabled in php.

If you are worried about this issue, and you should be, if your Cacti installation is exposed to the internet, I would suggest that you limit access to Cacti and make sure that "register_globals" is off.

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 28, 2006 9:45 am 
Offline
Cacti Pro User
User avatar

Joined: Thu Nov 21, 2002 8:55 am
Posts: 703
Location: Austin, TX
It appears that register_globals is off by default in CactiEZ v1.0 and the beta.

Locking down access to your monitoring servers is good practice as well.

_________________
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 28, 2006 10:02 am 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5904
Location: Michigan, USA
Issue reported into the bug datatbase.

Link for those who would like to track.
http://bugs.cacti.net/view.php?id=883

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 28, 2006 1:20 pm 
Offline
Developer

Joined: Thu Apr 07, 2005 3:29 pm
Posts: 1681
Location: B/CS Texas
Even with register globals off, I seem to be able to exploit it.

I can stop it from proceeding if I change
Code:
/* do NOT run this script through a web browser */
if (!isset($_SERVER["argv"][0])) {
   die("<br><strong>This script is only meant to run at the command line.</strong>");
}
to this
Code:
/* do NOT run this script through a web browser */
if (!isset($_SERVER["argv"][0]) || isset($_SERVER['REQUEST_METHOD'])  || isset($_SERVER['REMOTE_ADDR'])) {
   die("<br><strong>This script is only meant to run at the command line.</strong>");
}

This works great on Apache, but I am unsure of how it will work on IIS (I don't have an IIS server to test on).

_________________
CactiEZ CD


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 28, 2006 1:27 pm 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5904
Location: Michigan, USA
You can get past the die, yes, but can you inject the command into the table?

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 28, 2006 1:39 pm 
Offline

Joined: Thu Dec 28, 2006 4:04 am
Posts: 2
the exploit condition is register_argc_argv = on, not register_globals = on, like you wrote in mantis.
Request method check works fine

ah, I see the wrong check in various scripts, so... other attack maybe possible, so if you have that directive on, grep for that.

This .htaccess line should work temporarily, it worked for me:

php_value register_argc_argv off


Top
 Profile  
 
 Post subject: Actual description of issue **not exploit code**
PostPosted: Thu Dec 28, 2006 2:00 pm 
Offline

Joined: Wed Mar 15, 2006 8:59 am
Posts: 17
Cacti "cmd.php" Command Execution and SQL Injection Advisory Available in Danish Advisory Available in German

Secunia Advisory: SA23528
Release Date: 2006-12-28

Critical:
Highly critical
Impact: Security Bypass
Manipulation of data
System access
Where: From remote
Solution Status: Unpatched

Software: Cacti 0.x




Description:
rgod has discovered three vulnerabilities in Cacti, which can be exploited by malicious people to bypass certain security restrictions, manipulate data and compromise vulnerable systems.

1) The cmd.php script does not properly restrict access to command line usage and is installed in a web-accessible location.

Successful exploitation requires that "register_argc_argv" is enabled.

2) Input passed in the URL to cmd.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "register_argc_argv" is enabled.

3) The results from the SQL queries in 2) in cmd.php are not properly sanitised before being used as shell commands. This can be exploited to inject arbitrary shell commands.

The vulnerabilities are confirmed in version 0.8.6i. Other versions may also be affected.

Solution:
Move the "cmd.php" script to a not web-accessible path, and update other scripts accordingly.

Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
rgod


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 28, 2006 2:47 pm 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5904
Location: Michigan, USA
Sorry home sick today. Guess I didn't review the exploit that well.

Bug updated.

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 28, 2006 3:09 pm 
Offline
Developer

Joined: Thu Apr 07, 2005 3:29 pm
Posts: 1681
Location: B/CS Texas
Just to note, on both my testing systems and my remote production box, disabling register_argc_argv causes Cacti to stop polling.

_________________
CactiEZ CD


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 28, 2006 3:44 pm 
Offline
Developer

Joined: Thu Apr 07, 2005 3:29 pm
Posts: 1681
Location: B/CS Texas
Well, the effective way to stop the exploit is to properly check the passed arguments before inserting. They should be numbers, so lets just check them and exit if they aren't what we want.

Find this block of code
Code:
}else{
   $print_data_to_stdout = false;
   if ($_SERVER["argc"] == "3") {
      if ($_SERVER["argv"][1] <= $_SERVER["argv"][2]) {

and add this code directly afterwards.
Code:
         $_SERVER["argv"][1] = input_validate_input_number($_SERVER["argv"][1]);
         $_SERVER["argv"][2] = input_validate_input_number($_SERVER["argv"][2]);

_________________
CactiEZ CD


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 28, 2006 3:57 pm 
Offline

Joined: Wed Mar 15, 2006 8:59 am
Posts: 17
^ I've added your code into cmd.php on my box... I haven't tried the exploit against it but watching to make sure all is well w/ the server for now ;)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 60 posts ]  Go to page 1, 2, 3, 4  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: fabron, Google [Bot] and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group