Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When guest users have access to realtime graphs, remote code could be executed (CVE-2020-8813) #3285

Closed
netniV opened this issue Feb 23, 2020 · 3 comments
Assignees
Labels
bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE
Milestone

Comments

@netniV
Copy link
Member

netniV commented Feb 23, 2020

Describe the bug
Mohammad Askar of iSecurity has reported that graph_realtime.php prior to 1.2.10 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie if a guest user has the graph real-time privilege.

To Reproduce
Steps to reproduce the behavior:

  1. Enable the guest account
  2. Ensure the guest account has full access to realtime graphs
  3. Change the 'Cacti' cookie to have malformed characters which could run a script.

Expected behavior
The raw output of the cookie should be treated as insecure and as such, a validated version of the value utilised.

Additional context
This was reported as CVE-2020-8813

@netniV netniV added bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE labels Feb 23, 2020
@netniV netniV added this to the 1.2.10 milestone Feb 23, 2020
@netniV netniV self-assigned this Feb 23, 2020
@netniV
Copy link
Member Author

netniV commented Feb 23, 2020

This is a low risk exploit as the default Cacti configuration is set such that the Guest account is disabled, the Guest account has no access to realtime graphs under permissions and the guest template user is not set.

It should also be noted, that this issue only seems to affect PHP versions before 7.2 and as such that again mitigates the likelihood of this being exploited.

However, should someone running PHP 7.1 or before, enable access to realtime graphs for guest users (which is against the recommendations of the group), it would be possible to craft a malicious packet that could be executed unwittingly.

The main reason for this is a lack of escaping around the session_id() when assigned to the poller id whilst building on the command to run poller_realtime.php. The simple fix was to hash the value so that it generated a reasonable unique poller id, that couldn't execute code.

This fix has already been verified by @mhasker before posting his findings.

netniV added a commit that referenced this issue Feb 23, 2020
… executed (CVE-2020-8813)

This is a low risk exploit as the default Cacti configuration is set such that the Guest account is disabled, the Guest account has no access to realtime graphs under permissions and the guest template user is not set.

It should also be noted, that this issue only seems to affect PHP versions before 7.2 and as such that again mitigates the likelihood of this being exploited.

However, should someone running PHP 7.1 or before, enable access to realtime graphs for guest users (which is against the recommendations of the group), it would be possible to craft a malicious packet that could be executed unwittingly.

The main reason for this is a lack of escaping around the session_id() when assigned to the poller id whilst building on the command to run poller_realtime.php. The simple fix was to hash the value so that it generated a reasonable unique poller id, that couldn't execute code.

This fix has already been verified by @mhasker before posting his findings.

Closes #3285
@netniV netniV closed this as completed Feb 23, 2020
@atluxity
Copy link

Exploit for this vulnerability is now public.

@netniV
Copy link
Member Author

netniV commented Feb 23, 2020

Yes it is. I was hoping they were going to create the issue but as they hadn't and the exploit is out there I thought it best to do so myself. The fortunate thing is most people would never have real time access enabled for guests, nor the guest account active. Failing that, you'd have to be a malicious admin to make use of the exploit as you need to be able to adjust the realm permissions for the guest user.

@github-actions github-actions bot locked and limited conversation to collaborators Jun 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Undesired behaviour resolved A fixed issue SECURITY A security issue reported through CVE
Projects
None yet
Development

No branches or pull requests

2 participants