lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 6 May 2010 23:18:06 +0200
From: Alberto Trivero <a.trivero@...discover.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Bonsai Information Security - OS Command
	Injection in Cacti <= 0.8.7e

Misunderstanding clarified: two different vulns. ;)

Alberto Trivero


Il giorno 22/apr/10, alle ore 22:25, Alberto Trivero ha scritto:

> In what should differ the vulnerability you discovered from the one  
> I've published nearly FIVE years ago?
>
> http://osvdb.org/show/osvdb/17539
>
> It would be nice if you share some more details.
> As is, it sounds like a copy to me.
>
> Greetings.
>
> Alberto Trivero
>
>
>
> Il giorno 22/apr/10, alle ore 04:45, Bonsai Information Security  
> Advisories ha scritto:
>
>> OS Command Injection in Cacti
>> =============================
>> http://www.bonsai-sec.com/en/research/vulnerability.php
>> =============================
>>
>>
>> 1. Advisory Information
>>
>> Advisory ID: BONSAI-2010-0105
>> Date published: 2010-04-21
>> Vendors contacted: Cacti
>> Release mode: Coordinated release
>>
>>
>> 2. Vulnerability Information
>>
>> Class: Injection
>> Remotely Exploitable: Yes
>> Locally Exploitable: Yes
>> CVE Name: To be Defined
>>
>>
>> 3. Software Description
>>
>> Cacti is a complete network graphing solution designed to harness the
>> power of RRDTool's data storage and graphing functionality. Cacti
>> provides a fast poller, advanced graph templating, multiple data
>> acquisition methods, and user management features out of the box.  
>> All of
>> this is wrapped in an intuitive, easy to use interface that makes  
>> sense
>> for LAN-sized installations up to complex networks with hundreds of
>> devices [0]
>>
>>
>> 4. Vulnerability Description
>>
>> Injection flaws, such as SQL, OS, and LDAP injection, occur when
>> untrusted data is sent to an interpreter as part of a command or  
>> query.
>> The attacker’s hostile data can trick the interpreter into executing
>> unintended commands or accessing unauthorized data.
>>
>> For additional information please read [1] (A1 - Injection)
>>
>>
>> 5. Vulnerable packages
>>
>> Version <= 0.8.7e
>>
>>
>> 6. Non-vulnerable packages
>>
>> New version is not available. In order to mitigate the OS Command
>> Injection, the administrators of Cacti should trust the user who  
>> has the
>> privileges to access to the vulnerable parts of the application. New
>> point release of Cacti would resolve this specific issue.
>>
>>
>> 7. Credits
>>
>> This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-
>> bonsai-sec.com ).
>>
>>
>> 8. Technical Description
>>
>> 8.1 OS Command Injection
>>
>> CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
>>
>> Cacti is prone to a remote command execution vulnerability because  
>> the
>> software fails to adequately sanitize user-suplied input. Successful
>> attacks can compromise the affected software and possibly the  
>> operating
>> system running Cacti.
>>
>> The vulnerability can be triggered by any user doing:
>>
>> 1) Edit or Create a Device with FQDN  
>> ‘NotARealIPAddress;CMD;’ (without
>> single quotes) and Save it. Edit the Device again and reload any data
>> query already created. CMD will be executed with Web Server rights.
>>
>> 2) Edit or Create a Graph Template and use as Vertical Label
>> ‘BonsaiSecLabel";CMD; "’ (without single quotes) and Save it. Go to
>> Graph Management section and Select it. CMD will be executed with Web
>> Server rights. Note that other properties of a Graph Template might  
>> also
>> be affected.
>>
>>
>> 9. Report Timeline
>>
>> 2010-04-03:
>> Vulnerabilities were identified.
>> 2010-04-06:
>> Vendor Contacted
>> 2010-04-17:
>> Vendor released a mitigation plan
>> 2010-04-21:
>> The advisory BONSAI-2010-0105 is published.
>>
>>
>> 10. References
>>
>> [0] http://www.cacti.net/
>>
>> [1] http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
>>
>>
>> 11. About Bonsai
>>
>> Bonsai is a company involved in providing professional computer
>> information security services. Currently a sound growth company,  
>> since
>> its foundation in early 2009 in Buenos Aires, Argentina, we are fully
>> committed to quality service, and focused on our customers real  
>> needs.
>>
>>
>> 12. Disclaimer
>>
>> The contents of this advisory are copyright (c) 2010 Bonsai  
>> Information
>> Security, and may be distributed freely provided that no fee is  
>> charged
>> for this distribution and proper credit is given.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists