Remote Code Execution due to input validation failure in Performance Boost Debug Log (CVE-2020-7237)

[0xfatty]

Describe the bug
An input validation error found in Boost Debug Log field leads to Remote Code Execution.

To Reproduce
Steps to reproduce the behavior:

1. Navigate to Console -> Configuration -> Settings -> Performance
2. In Boost Debug Log field, type in the payload:
   --verbose; cat /etc/passwd > rce.txt
3. Save. Even the $input_whitelisting in config.php is ON, it would still accept this payload.
4. Wait a little bit until new polling cycle gets fetched. Navigate to http://cacti/rce.txt to see /etc/passwd content.

Screenshots

• Payload
  

• Successfully saved the payload
  

• /etc/passwd content
  

Root cause

• Not like other fields in Configuration tab, Boost Debug Log would still be saved even if the input contains special characters.
• Tracing back to server log, I observed that this is being handled by poller_automation.php where it gets fetched by the poller process.
• Taking a look at the poller_automation.php, I observed that there are 5 different arguments that can be used to passed into its command. Hence, we can use either --debug, --force, --verbose, --version, or --help to pass into Boost Debug Log field.
• After crafting a payload, the script will look like:
  /bin/php <path>/poller_automation.php --verbose; cat /etc/passswd > rce.txt where it gets fetched by the new poller process and create rce.txt in webroot.

Remediation

• Apply a check on this field (i.e: input length, input characters)
• If this field is supposed to take these mentioned arguments, create a drop-down menu instead of string field if possible.

Please let me know if you need any further information.

Chi Tran

[cigamit]

Should be all set now.

[0xfatty]

A CVE has been assigned for this issue.

CVE-2020-7237.

I have also committed to CHANGELOG.