what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

cactiSQL086e-bypass.txt

cactiSQL086e-bypass.txt
Posted Jul 7, 2005
Authored by Stefan Esser

Cacti versions 0.8.6e and below suffer from a bypass vulnerability.

tags | advisory, bypass
SHA-256 | 37222644fbba63cb60c1d66e20630458bb9114e3b3461b0895e9c3de90a9d540

cactiSQL086e-bypass.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hardened - PHP Project
www.hardened-php.net

-= Security Advisory =-



Advisory: Cacti Authentification/Addslashes Bypass Vulnerability
Release Date: 2005/07/01
Last Modified: 2005/07/01
Author: Stefan Esser [sesser@hardened-php.net]

Application: Cacti <= 0.8.6e
Severity: A HTTP headers bypass switch can also be used
to completely bypass the authentification system
of Cacti. As admin it is possible to execute shell
commands with the permission of the webserver.
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory-052005.php


Overview:

Quote from http://www.cacti.net
"Cacti is a complete network graphing solution designed to harness
the power of RRDTool's data storage and graphing functionality.
Cacti provides a fast poller, advanced graph templating, multiple
data acquisition methods, and user management features out of the
box. All of this is wrapped in an intuitive, easy to use interface
that makes sense for LAN-sized installations up to complex
networks with hundreds of devices."

While looking at the source of Cacti a HTTP headers bypass switch
was discovered, that also switches off a call to session_start()
and the manual application of addslashes() in case of
magic_quotes_gpc=Off.

When register_globals is turned on* an attacker can use this
switch to disables Cacti's use of PHP's session support and
therefore supply the session variables on his own through f.e.
the URL. Additionally using the switch renders several SQL
statements vulnerable to SQL Injections attacks, when
magic_quotes_gpc is turned off, which is the recommended setting.

Logged in as an admin it is possible to issue shell commands.

(*) register_globals is turned off by default since PHP 4.2 but
is activated on most servers because of older scripts requiring it.


Details:

Within "config.php" there is code to bypass the output of
several HTTP headers for caching purposes. This is controlled
by the 'no_http_headers' switch. When register_globals is on
a potential attacker can control this f.e. through one of the
URL variables.

if ((isset($no_http_headers) ? $no_http_headers : false) != true) {
/* we don't want these pages cached */
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
...
header("Pragma: no-cache");

/* initilize php session */
session_start();

/* detect and handle get_magic_quotes */
if (!get_magic_quotes_gpc()) {
function addslashes_deep($value) {
$value = is_array($value) ? array_map('addslashes_deep',
$value) : addslashes($value);
return $value;
}

$_POST = array_map('addslashes_deep', $_POST);
$_GET = array_map('addslashes_deep', $_GET);
$_COOKIE = array_map('addslashes_deep', $_COOKIE);
}
...
}

The problem with this is, that not calling session_start() also
means, that the _SESSION superglobal is never created and
therefore it is possible to overwrite _SESSION["sess_user_id"]
or other session variables because of register_globals.

This means that any request, that comes f.e. with a

Cookie: _SESSION[sess_user_id]=1;no_http_headers=1;

will be automaticly logged in as user 1 (which is usually the
admin).

On the other hand it is quite obvious that the no_http_headers
switch will disable the automatic addslashes() on _GET, _POST
and _COOKIE which can lead f.e. to SQL Injections on the login
formular when magic_quotes_gpc is turned off, which is the
recommended setting.

Logged in as an admin the attacker can execute arbitrary
shell commands by f.e. changing the path to rrdtool in the
configuration into commands of his choice and then triggering it
by viewing a graph.

Because of this register_globals=On problem we recommendend that
the Cacti developers add a register_globals deregistration layer
to Cacti. This is usually a recommendation from us to everyone
writing PHP applications, because programmers that use the _GET,
_POST and _COOKIE superglobals are often under the wrong assumption,
that their code will only run on servers with register_globals
turned off and still do not initialise their variables properly.


Proof of Concept:

The Hardened-PHP Project is not going to release exploits
for this vulnerabilities to the public.


Disclosure Timeline:

25. June 2005 - Contacted Cacti developers via email
29. June 2005 - Review of patch from our side
1. July 2005 - Release of updated Cacti and Public Disclosure


Recommendation:

We strongly recommend upgrading to Cacti 0.8.6f which you can get at

http://www.cacti.net/download_cacti.php


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCxBccRDkUzAqGSqERAppnAJ9xNIh1kY7wAtKu/LysBiMHwlpJFgCg6FtK
wb123sPmzM3MRmGtc0PDb/w=
=Wk7r
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close