[Cacti <= 0.8.6i] Remote Injection Exploit

[hbokh]

Cacti <= 0.8.6i cmd.php popen() Remote Injection Exploit

HEADS UP!

See http://www.milw0rm.com/exploits/3029 for the actual exploit...
Or am I stepping out of line here?

[amaret0]

Sorry for the question, but...
Are there any fixes/patches for this "hot" bug?
Or any temporary solution?

Thanks in advance.

~A

[Wunk]

I second this, any quick fixes / patch ?


edit:

Quick fix: just make cmd.php unreadable by the user that the webserver runs as (nobody/apache/httpd), just make sure it's readable by the user that the poller runs as.

[sizulku]

Have you try this exploit? I'm using it on my cacti 0.8.6h but won't work so I'm safe

[rony]

You only have to worry if you have "register_globals" enabled in php.

If you are worried about this issue, and you should be, if your Cacti installation is exposed to the internet, I would suggest that you limit access to Cacti and make sure that "register_globals" is off.

[egarnel]

It appears that register_globals is off by default in CactiEZ v1.0 and the beta.

Locking down access to your monitoring servers is good practice as well.

[rony]

Issue reported into the bug datatbase.

Link for those who would like to track.
http://bugs.cacti.net/view.php?id=883

[cigamit]

Even with register globals off, I seem to be able to exploit it.

I can stop it from proceeding if I change

[rony]

You can get past the die, yes, but can you inject the command into the table?

[rgod]

the exploit condition is register_argc_argv = on, not register_globals = on, like you wrote in mantis.
Request method check works fine

ah, I see the wrong check in various scripts, so... other attack maybe possible, so if you have that directive on, grep for that.

This .htaccess line should work temporarily, it worked for me:

php_value register_argc_argv off

[tsnww]

Cacti "cmd.php" Command Execution and SQL Injection Advisory Available in Danish Advisory Available in German

Secunia Advisory: SA23528
Release Date: 2006-12-28

Critical:
Highly critical
Impact: Security Bypass
Manipulation of data
System access
Where: From remote
Solution Status: Unpatched

Software: Cacti 0.x




Description:
rgod has discovered three vulnerabilities in Cacti, which can be exploited by malicious people to bypass certain security restrictions, manipulate data and compromise vulnerable systems.

1) The cmd.php script does not properly restrict access to command line usage and is installed in a web-accessible location.

Successful exploitation requires that "register_argc_argv" is enabled.

2) Input passed in the URL to cmd.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "register_argc_argv" is enabled.

3) The results from the SQL queries in 2) in cmd.php are not properly sanitised before being used as shell commands. This can be exploited to inject arbitrary shell commands.

The vulnerabilities are confirmed in version 0.8.6i. Other versions may also be affected.

Solution:
Move the "cmd.php" script to a not web-accessible path, and update other scripts accordingly.

Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
rgod

[rony]

Sorry home sick today. Guess I didn't review the exploit that well.

Bug updated.

[cigamit]

Just to note, on both my testing systems and my remote production box, disabling register_argc_argv causes Cacti to stop polling.

[cigamit]

Well, the effective way to stop the exploit is to properly check the passed arguments before inserting. They should be numbers, so lets just check them and exit if they aren't what we want.

Find this block of code

[tsnww]

^ I've added your code into cmd.php on my box... I haven't tried the exploit against it but watching to make sure all is well w/ the server for now