When guest users have access to realtime graphs, remote code could be executed (CVE-2020-8813)

Question

When guest users have access to realtime graphs, remote code could be executed (CVE-2020-8813)

netniV opened this issue 4 years ago · comments

Mark Brugnoli-Vinten commented 4 years ago

Describe the bug
Mohammad Askar of iSecurity has reported that graph_realtime.php prior to 1.2.10 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie if a guest user has the graph real-time privilege.

To Reproduce
Steps to reproduce the behavior:

Enable the guest account
Ensure the guest account has full access to realtime graphs
Change the 'Cacti' cookie to have malformed characters which could run a script.

Expected behavior
The raw output of the cookie should be treated as insecure and as such, a validated version of the value utilised.

Additional context
This was reported as CVE-2020-8813

Mark Brugnoli-Vinten · Answer 1 · Sun Feb 23 2020 14:08:02 GMT+0800 (China Standard Time)

This is a low risk exploit as the default Cacti configuration is set such that the Guest account is disabled, the Guest account has no access to realtime graphs under permissions and the guest template user is not set.

It should also be noted, that this issue only seems to affect PHP versions before 7.2 and as such that again mitigates the likelihood of this being exploited.

However, should someone running PHP 7.1 or before, enable access to realtime graphs for guest users (which is against the recommendations of the group), it would be possible to craft a malicious packet that could be executed unwittingly.

The main reason for this is a lack of escaping around the session_id() when assigned to the poller id whilst building on the command to run poller_realtime.php. The simple fix was to hash the value so that it generated a reasonable unique poller id, that couldn't execute code.

This fix has already been verified by @mhasker before posting his findings.

Hans-Petter Fjeld · Answer 2 · Sun Feb 23 2020 22:45:57 GMT+0800 (China Standard Time)

Exploit for this vulnerability is now public.

Mark Brugnoli-Vinten · Answer 3 · Sun Feb 23 2020 23:02:35 GMT+0800 (China Standard Time)

Yes it is. I was hoping they were going to create the issue but as they hadn't and the exploit is out there I thought it best to do so myself. The fortunate thing is most people would never have real time access enabled for guests, nor the guest account active. Failing that, you'd have to be a malicious admin to make use of the exploit as you need to be able to adjust the realm permissions for the guest user.