Cacti (home)ForumsDocumentation
Cacti: offical forums and support
It is currently Wed Jul 17, 2019 6:13 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 12 posts ] 
Author Message
 Post subject: Cryptocurrency Miner Spread via PHP Weathermap Vulnerability
PostPosted: Mon Apr 23, 2018 11:56 am 
Offline
Cacti User
User avatar

Joined: Fri Feb 10, 2017 2:45 pm
Posts: 263
Location: Long Island, New York, USA
Read the below: www.securitynewspaper.com/2018/03/23/cr ... x-servers/

_________________
See the Cacti 1.x templates I use at: http://www.camerabob.com/cacti

Live: Cacti 1.2.3 @ CentOS 7-6.1810.2.el7 & PHP 5.4.16-46.el7
Maint @ 1.2
Monitor @ 2.3.6
Thold @ 1.2.4

Test: Cacti 1.2.4 @ CentOS 7-6.1810.2.el7 & PHP 5.4.16-46.el7
Maint @ 1.2
Monitor @ 2.3.6
Thold @ 1.2.4


Top
 Profile  
 
 Post subject: Re: Cryptocurrency Miner Spread via PHP Weathermap Vulnerabi
PostPosted: Mon Apr 23, 2018 12:27 pm 
Offline
Cacti Guru User
User avatar

Joined: Thu Sep 16, 2004 5:53 am
Posts: 5323
Location: United Kingdom
"an outdated Network Weathermap (0.97a and prior)"

0.97b came out in April 2013 (CVE announced in March 2013).

As I understand what happens, you also need to have allowed untrusted third-parties to access the editor, having ignored the warnings in the manual about httpd access, and enabled the editor (ignoring a web-browser-based warning about access control too).

Editor was disabled by default from 0.97a (Jan 2010) onwards. Specific issues from CVEs (unvalidated paths and XSS) addressed in 0.97b (April 2013).

At the time of the CVE announcement, up until 0.98 came out (about 3 years), there was a sticky note on this forum also. Since 0.98 (May 2016), the editor uses Cacti's own permissions, unless you specifically bypass that by editing the editor.php file.

So yes, please update (or check for updates) more than once every 5 years...

_________________
Weathermap 0.98 is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)


Top
 Profile  
 
 Post subject: Re: Cryptocurrency Miner Spread via PHP Weathermap Vulnerabi
PostPosted: Thu Apr 26, 2018 7:10 am 
Offline
Cacti User
User avatar

Joined: Fri Feb 10, 2017 2:45 pm
Posts: 263
Location: Long Island, New York, USA
LOL! I wasn't aware that these dates in this 'recent' article were so old. Still good to know for those folks out there that 'set it and forget it'. Good old Ronco-matic.

_________________
See the Cacti 1.x templates I use at: http://www.camerabob.com/cacti

Live: Cacti 1.2.3 @ CentOS 7-6.1810.2.el7 & PHP 5.4.16-46.el7
Maint @ 1.2
Monitor @ 2.3.6
Thold @ 1.2.4

Test: Cacti 1.2.4 @ CentOS 7-6.1810.2.el7 & PHP 5.4.16-46.el7
Maint @ 1.2
Monitor @ 2.3.6
Thold @ 1.2.4


Top
 Profile  
 
 Post subject: Re: Cryptocurrency Miner Spread via PHP Weathermap Vulnerabi
PostPosted: Thu Apr 26, 2018 7:14 am 
Offline
Cacti Guru User
User avatar

Joined: Thu Sep 16, 2004 5:53 am
Posts: 5323
Location: United Kingdom
It's really the triple threat of "set it, forget it, and allow everyone in the world to access it".

If weathermap checked for new versions, do you think people would mind?

_________________
Weathermap 0.98 is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)


Top
 Profile  
 
 Post subject: Re: Cryptocurrency Miner Spread via PHP Weathermap Vulnerabi
PostPosted: Thu Apr 26, 2018 7:15 am 
Offline
Cacti User
User avatar

Joined: Fri Feb 10, 2017 2:45 pm
Posts: 263
Location: Long Island, New York, USA
Howie wrote:
It's really the triple threat of "set it, forget it, and allow everyone in the world to access it".

If weathermap checked for new versions, do you think people would mind?

Only if it broke something during the updates...

_________________
See the Cacti 1.x templates I use at: http://www.camerabob.com/cacti

Live: Cacti 1.2.3 @ CentOS 7-6.1810.2.el7 & PHP 5.4.16-46.el7
Maint @ 1.2
Monitor @ 2.3.6
Thold @ 1.2.4

Test: Cacti 1.2.4 @ CentOS 7-6.1810.2.el7 & PHP 5.4.16-46.el7
Maint @ 1.2
Monitor @ 2.3.6
Thold @ 1.2.4


Top
 Profile  
 
 Post subject: Re: Cryptocurrency Miner Spread via PHP Weathermap Vulnerabi
PostPosted: Thu Apr 26, 2018 7:54 am 
Offline
Cacti Guru User
User avatar

Joined: Thu Sep 16, 2004 5:53 am
Posts: 5323
Location: United Kingdom
Oh, not automatically updating, just checking the current version every now and then, and adding a notice on the map management page. "You are running 0.97a. The current version is 0.98a. There are 4 years of updates available. These updates include security updates [if they do]"

Once upon a time, it was a feature of Cacti (well, the Update plugin anyway), but it never made it into the modern plugin architecture.

_________________
Weathermap 0.98 is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)


Top
 Profile  
 
 Post subject: Re: Cryptocurrency Miner Spread via PHP Weathermap Vulnerabi
PostPosted: Thu Apr 26, 2018 2:07 pm 
Offline
Cacti Guru User

Joined: Sun Aug 27, 2017 12:05 am
Posts: 2592
Hmm, I like that idea. Can you open it as an issue on the github website? I recently added the "requires = <plugin> <plugin_version>" to help where one plugin needs another of a specific version (minimum). A version update URL in the INFO file (which points at an INFO file) would be a good way to go. Thus it can compare the two and on the plugin page give a warning. We might have to make it configurable on the reporting interval of plugin updates for example, once a week check and notify. Maybe even sent an email if configured?

_________________
Official Cacti Developer

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation

My resources:
How to submit Pull Requests
Development Wiki and How To's
Updated NetSNMP Memory template for Cacti 1.x
Cisco SFP template for Cacti 0.8.8


Top
 Profile  
 
 Post subject: Re: Cryptocurrency Miner Spread via PHP Weathermap Vulnerabi
PostPosted: Thu Apr 26, 2018 2:17 pm 
Offline
Cacti Guru User
User avatar

Joined: Thu Sep 16, 2004 5:53 am
Posts: 5323
Location: United Kingdom
https://forums.cacti.net/viewtopic.php?f=19&t=15176

There used to be a 'version_url' field in the version info (old version of the INFO file).

You send it your version, and it returns a current version and also a message (so the server-side can be a simple two-line php script, or something that's a bit cleverer and presents the right parts of a changelog).

Because the update part was a plugin itself (on top of what at the time was an optional plugin architecture), it didn't get much use, but it was really easy to add support. I had it in all of the small plugins I made then.

_________________
Weathermap 0.98 is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)


Top
 Profile  
 
 Post subject: Re: Cryptocurrency Miner Spread via PHP Weathermap Vulnerabi
PostPosted: Fri Apr 27, 2018 4:28 am 
Offline
Cacti Guru User

Joined: Sun Aug 27, 2017 12:05 am
Posts: 2592
The links on that page just go back to a blog but as it was cigamit posting, he may still have the sources. Either that or I just implement my own way of doing it.

_________________
Official Cacti Developer

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation

My resources:
How to submit Pull Requests
Development Wiki and How To's
Updated NetSNMP Memory template for Cacti 1.x
Cisco SFP template for Cacti 0.8.8


Top
 Profile  
 
 Post subject: Re: Cryptocurrency Miner Spread via PHP Weathermap Vulnerabi
PostPosted: Fri Apr 27, 2018 5:07 am 
Offline
Cacti Guru User
User avatar

Joined: Thu Sep 16, 2004 5:53 am
Posts: 5323
Location: United Kingdom
His http client was pretty sketchy to be honest (didn't follow redirects, didn't do ssl, didn't understand proxies). Something that uses the php curl functions would be a lot more reliable.

The basic idea though was:

Fetch from $version_url . "?fetch=version&plugin=$plugin_name" to get the current version number (only)

Fetch from $version_url . "?fetch=changes&plugin=$plugin_name" to get the changelog

I think it might be better to do this instead, to allow people to use different versioning schemes:

Fetch from $version_url . "?action=check&plugin=$plugin_name&my_version=0.97" returns true or false

Fetch from $version_url . "?action=changes&plugin=$plugin_name&my_version=0.97" returns relevant changes and potentially more information

Now Cacti doesn't have to understand the versioning scheme, and the changelog can be optimised for the changes between version A and B, rather than all-time. Weathermap's all-time changelog is enormous, for example.

_________________
Weathermap 0.98 is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)


Top
 Profile  
 
 Post subject: Re: Cryptocurrency Miner Spread via PHP Weathermap Vulnerabi
PostPosted: Fri Apr 27, 2018 5:51 am 
Offline
Cacti Guru User

Joined: Sun Aug 27, 2017 12:05 am
Posts: 2592
I think we've kind of derailed this topic so rather than continue to discuss this here. Lets get an issue opened to track it properly and then we can see which milestone to put this in, but I think it's a good idea.

_________________
Official Cacti Developer

Cacti Resources:
Cacti Website (including releases)
Cacti Issues
Cacti Development Releases
Cacti Development Documentation

My resources:
How to submit Pull Requests
Development Wiki and How To's
Updated NetSNMP Memory template for Cacti 1.x
Cisco SFP template for Cacti 0.8.8


Top
 Profile  
 
 Post subject: Re: Cryptocurrency Miner Spread via PHP Weathermap Vulnerabi
PostPosted: Fri Apr 27, 2018 7:15 am 
Offline
Cacti User
User avatar

Joined: Fri Feb 10, 2017 2:45 pm
Posts: 263
Location: Long Island, New York, USA
This topic was kind of dead and stinking already. Glad to see something very positive did come out of it though.

_________________
See the Cacti 1.x templates I use at: http://www.camerabob.com/cacti

Live: Cacti 1.2.3 @ CentOS 7-6.1810.2.el7 & PHP 5.4.16-46.el7
Maint @ 1.2
Monitor @ 2.3.6
Thold @ 1.2.4

Test: Cacti 1.2.4 @ CentOS 7-6.1810.2.el7 & PHP 5.4.16-46.el7
Maint @ 1.2
Monitor @ 2.3.6
Thold @ 1.2.4


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group