You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
An input validation error found in Boost Debug Log field leads to Remote Code Execution.
To Reproduce
Steps to reproduce the behavior:
Navigate to Console -> Configuration -> Settings -> Performance
In Boost Debug Log field, type in the payload: --verbose; cat /etc/passwd > rce.txt
Save. Even the $input_whitelisting in config.php is ON, it would still accept this payload.
Wait a little bit until new polling cycle gets fetched. Navigate to http://cacti/rce.txt to see /etc/passwd content.
Screenshots
Payload
Successfully saved the payload
/etc/passwd content
Root cause
Not like other fields in Configuration tab, Boost Debug Log would still be saved even if the input contains special characters.
Tracing back to server log, I observed that this is being handled by poller_automation.php where it gets fetched by the poller process.
Taking a look at the poller_automation.php, I observed that there are 5 different arguments that can be used to passed into its command. Hence, we can use either --debug, --force, --verbose, --version, or --help to pass into Boost Debug Log field.
After crafting a payload, the script will look like: /bin/php <path>/poller_automation.php --verbose; cat /etc/passswd > rce.txt where it gets fetched by the new poller process and create rce.txt in webroot.
Remediation
Apply a check on this field (i.e: input length, input characters)
If this field is supposed to take these mentioned arguments, create a drop-down menu instead of string field if possible.
Please let me know if you need any further information.
Chi Tran
The text was updated successfully, but these errors were encountered:
netniV
changed the title
Vulnerability Report: Remote Code Execution due to input validation in Performance Boost Debug Log
Remote Code Execution due to input validation failure in Performance Boost Debug Log (CVE-2020-7237)
Feb 10, 2020
Describe the bug
An input validation error found in Boost Debug Log field leads to Remote Code Execution.
To Reproduce
Steps to reproduce the behavior:
--verbose; cat /etc/passwd > rce.txt
http://cacti/rce.txt
to see /etc/passwd content.Screenshots
Payload
Successfully saved the payload
/etc/passwd content
Root cause
/bin/php <path>/poller_automation.php --verbose; cat /etc/passswd > rce.txt
where it gets fetched by the new poller process and create rce.txt in webroot.Remediation
Please let me know if you need any further information.
Chi Tran
The text was updated successfully, but these errors were encountered: