Remote Code Execution due to input validation failure in Performance Boost Debug Log (CVE-2020-7237) #3201
Description
Describe the bug
An input validation error found in Boost Debug Log field leads to Remote Code Execution.
To Reproduce
Steps to reproduce the behavior:
- Navigate to Console -> Configuration -> Settings -> Performance
- In Boost Debug Log field, type in the payload:
--verbose; cat /etc/passwd > rce.txt - Save. Even the $input_whitelisting in config.php is ON, it would still accept this payload.
- Wait a little bit until new polling cycle gets fetched. Navigate to
http://cacti/rce.txtto see /etc/passwd content.
Screenshots
-
Payload
-
Successfully saved the payload
-
/etc/passwd content
Root cause
- Not like other fields in Configuration tab, Boost Debug Log would still be saved even if the input contains special characters.
- Tracing back to server log, I observed that this is being handled by poller_automation.php where it gets fetched by the poller process.
- Taking a look at the poller_automation.php, I observed that there are 5 different arguments that can be used to passed into its command. Hence, we can use either --debug, --force, --verbose, --version, or --help to pass into Boost Debug Log field.
- After crafting a payload, the script will look like:
/bin/php <path>/poller_automation.php --verbose; cat /etc/passswd > rce.txtwhere it gets fetched by the new poller process and create rce.txt in webroot.
Remediation
- Apply a check on this field (i.e: input length, input characters)
- If this field is supposed to take these mentioned arguments, create a drop-down menu instead of string field if possible.
Please let me know if you need any further information.
Chi Tran