----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened - PHP Project www.hardened-php.net -= Security Advisory =- Advisory: Cacti Multiple SQL Injection Vulnerabilities Release Date: 2005/07/01 Last Modified: 2005/07/01 Author: Stefan Esser [sesser@hardened-php.net] Application: Cacti <= 0.8.6e Severity: Wrongly implemented user input filters lead to multiple SQL Injection vulnerabilities which can lead f.e. to disclosure of the admin password hash Risk: Critical Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory-032005.php Overview: Quote from http://www.cacti.net "Cacti is a complete network graphing solution designed to harness the power of RRDTool's data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices." Because it is usually fun to audit software which was previously audited by experts from iDEFENSE I scanned through their reported vulnerabilities and found that most are not properly fixed. Details: With the recent release of iDEFENSE's Cacti advisories version 0.8.6e of Cacti was released which according to iDEFENSE fixes all reported flaws. But this is not true. However the user input filters that were added to the Cacti codebase to address the possible SQL Injections are wrongly implemented and therefore can be tricked to let attackers through. To demonstrate the problem here a snipset of "graph.php" /* ================= input validation ================= */ input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$"); input_validate_input_number(get_request_var("local_graph_id")); /* ==================================================== */ if ($_GET["rra_id"] == "all") { $sql_where = " where id is not null"; }else{ $sql_where = " where id=" . $_GET["rra_id"]; } On the first look this code looks safe, because it checks that the 'rra_id' request parameter is either a number or the string "all" before inserting it into a part of the SQL Query. To realize that this check is however worth nothing one has to dig deeper and look into the implementation of get_request_var() function get_request_var($name, $default = "") { if (isset($_REQUEST[$name])) { return $_REQUEST[$name]; } else { return $default; } } This actually means that the filter in this example is applied to the content of $_REQUEST["rra_id"] and not to $_GET["rra_id"]. The problem with this is, that $_REQUEST is a merged version of the $_GET, $_POST and $_COOKIE arrays and therefore array keys of the same name will overwrite each other in $_REQUEST. In the default configuration of PHP which is usually not changed by anyone the merge order is GPC. This means when the request contains both $_GET["rra_id"] and $_POST["rra_id"], only the posted value will end up in the $_REQUEST array. This however means, that nearly all of the implemented filters can be bypassed by supplying the attack string through the URL and supplying a good string through POST or through the COOKIE. Proof of Concept: The Hardened-PHP Project is not going to release exploits for this vulnerabilities to the public. Disclosure Timeline: 25. June 2005 - Contacted Cacti developers via email 29. June 2005 - Review of patch from our side 1. July 2005 - Release of updated Cacti and Public Disclosure Recommendation: We strongly recommend upgrading to Cacti 0.8.6f which you can get at http://www.cacti.net/download_cacti.php GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2005 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFCw7lBRDkUzAqGSqERAiBrAJ0T3FlbaBFsZ2qP8ksVNchBhW6KcgCgjVfg oeCyHNmE0aB6tHUE1QeL7As= =IswA -----END PGP SIGNATURE----- ----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened - PHP Project www.hardened-php.net -= Security Advisory =- Advisory: Cacti Remote Command Execution Vulnerability Release Date: 2005/07/01 Last Modified: 2005/07/01 Author: Stefan Esser [sesser@hardened-php.net] Application: Cacti <= 0.8.6e Severity: Wrongly implemented user input filters allows injection of user input into executed commandline Risk: Critical Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory-042005.php Overview: Quote from http://www.cacti.net "Cacti is a complete network graphing solution designed to harness the power of RRDTool's data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices." Alberto Trivero posted his Remote Command Execution Exploit for Cacti <= 0.8.6d to Bugtraq on the 22th June. Having analysed his bug I come to the conclusion, that the malfunctioning input filters, which were already mentioned in the previous advisory are also responsible for this bug still being exploitable. Details: With the recent release of Cacti 0.8.6e a number of user input filters were added to the codebase to prevent a number of SQL Injection problems. However these user input filters that made Alberto Trivero believe, that his remote command execution vulnerability was also fixed, are wrongly implemented and therefore can be bypassed to execute arbitrary commands on the webserver. To demonstrate the problem here a snipset of "graph_image.php" /* ================= input validation ================= */ input_validate_input_number(get_request_var("graph_start")); input_validate_input_number(get_request_var("graph_end")); input_validate_input_number(get_request_var("graph_height")); input_validate_input_number(get_request_var("graph_width")); input_validate_input_number(get_request_var("local_graph_id")); input_validate_input_number(get_request_var("rra_id")); /* ==================================================== */ ... /* override: graph start time (unix time) */ if (!empty($_GET["graph_start"])) { $graph_data_array["graph_start"] = $_GET["graph_start"]; } ... print rrdtool_function_graph($_GET["local_graph_id"], $_GET["rra_id"], $graph_data_array); On the first look this code looks like it has fixed the remote command execution vulnerability through the 'graph_*' request parameters, because it requires them to be a number before passing them to the rrdtool. To realize that this check is however worth nothing one has to dig deeper and look into the implementation of get_request_var() function get_request_var($name, $default = "") { if (isset($_REQUEST[$name])) { return $_REQUEST[$name]; } else { return $default; } } This actually means that the filter in this example is applied to the content of $_REQUEST["graph_start"] instead of $_GET["graph_start"]. The problem with this is, that $_REQUEST is a merged version of the $_GET, $_POST and $_COOKIE arrays and therefore array keys of the same name will overwrite each other in $_REQUEST. In the default configuration of PHP which is usually not changed by anyone the merge order is GPC. This means when the request contains both $_GET["graph_start"] and $_POST["graph_start"], only the posted value will end up in the $_REQUEST array. This however means, that an attacker can still inject shell commands by supplying the injection string through the URL and supplying a good string through POST or through the COOKIE. Proof of Concept: The Hardened-PHP Project is not going to release exploits for this vulnerabilities to the public. Disclosure Timeline: 25. June 2005 - Contacted Cacti developers via email 29. June 2005 - Review of patch from our side 1. July 2005 - Release of updated Cacti and Public Disclosure Recommendation: We strongly recommend upgrading to Cacti 0.8.6f which you can get at http://www.cacti.net/download_cacti.php GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2005 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFCw7lVRDkUzAqGSqERAuagAJwMHrKrvuTx34+lTHZGAXTDceY7kQCgloNj RXrQPznBmKak9WIoRgABdu0= =4/fa -----END PGP SIGNATURE----- ----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened - PHP Project www.hardened-php.net -= Security Advisory =- Advisory: Cacti Authentification/Addslashes Bypass Vulnerability Release Date: 2005/07/01 Last Modified: 2005/07/01 Author: Stefan Esser [sesser@hardened-php.net] Application: Cacti <= 0.8.6e Severity: A HTTP headers bypass switch can also be used to completely bypass the authentification system of Cacti. As admin it is possible to execute shell commands with the permission of the webserver. Risk: Critical Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory-052005.php Overview: Quote from http://www.cacti.net "Cacti is a complete network graphing solution designed to harness the power of RRDTool's data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices." While looking at the source of Cacti a HTTP headers bypass switch was discovered, that also switches off a call to session_start() and the manual application of addslashes() in case of magic_quotes_gpc=Off. When register_globals is turned on* an attacker can use this switch to disables Cacti's use of PHP's session support and therefore supply the session variables on his own through f.e. the URL. Additionally using the switch renders several SQL statements vulnerable to SQL Injections attacks, when magic_quotes_gpc is turned off, which is the recommended setting. Logged in as an admin it is possible to issue shell commands. (*) register_globals is turned off by default since PHP 4.2 but is activated on most servers because of older scripts requiring it. Details: Within "config.php" there is code to bypass the output of several HTTP headers for caching purposes. This is controlled by the 'no_http_headers' switch. When register_globals is on a potential attacker can control this f.e. through one of the URL variables. if ((isset($no_http_headers) ? $no_http_headers : false) != true) { /* we don't want these pages cached */ header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); ... header("Pragma: no-cache"); /* initilize php session */ session_start(); /* detect and handle get_magic_quotes */ if (!get_magic_quotes_gpc()) { function addslashes_deep($value) { $value = is_array($value) ? array_map('addslashes_deep', $value) : addslashes($value); return $value; } $_POST = array_map('addslashes_deep', $_POST); $_GET = array_map('addslashes_deep', $_GET); $_COOKIE = array_map('addslashes_deep', $_COOKIE); } ... } The problem with this is, that not calling session_start() also means, that the _SESSION superglobal is never created and therefore it is possible to overwrite _SESSION["sess_user_id"] or other session variables because of register_globals. This means that any request, that comes f.e. with a Cookie: _SESSION[sess_user_id]=1;no_http_headers=1; will be automaticly logged in as user 1 (which is usually the admin). On the other hand it is quite obvious that the no_http_headers switch will disable the automatic addslashes() on _GET, _POST and _COOKIE which can lead f.e. to SQL Injections on the login formular when magic_quotes_gpc is turned off, which is the recommended setting. Logged in as an admin the attacker can execute arbitrary shell commands by f.e. changing the path to rrdtool in the configuration into commands of his choice and then triggering it by viewing a graph. Because of this register_globals=On problem we recommendend that the Cacti developers add a register_globals deregistration layer to Cacti. This is usually a recommendation from us to everyone writing PHP applications, because programmers that use the _GET, _POST and _COOKIE superglobals are often under the wrong assumption, that their code will only run on servers with register_globals turned off and still do not initialise their variables properly. Proof of Concept: The Hardened-PHP Project is not going to release exploits for this vulnerabilities to the public. Disclosure Timeline: 25. June 2005 - Contacted Cacti developers via email 29. June 2005 - Review of patch from our side 1. July 2005 - Release of updated Cacti and Public Disclosure Recommendation: We strongly recommend upgrading to Cacti 0.8.6f which you can get at http://www.cacti.net/download_cacti.php GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2005 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFCw7lvRDkUzAqGSqERAsxNAJ0byMtFg7JQlQNseTvGJ8ZwgHchJwCfYE8p NqBbNNb6NX2rQakPT/V/Ej0= =R8VT -----END PGP SIGNATURE-----
Lance please be ready to bump.
Will do, author already prepped me for another update in an email.
The author released the new version. I'm in the process of testing the new version and marking it unstable for all the archs. I think we're ready to open this to the public and add the archs here in a bit.
btw, I committed the new version as ~arch.
*** Bug 97683 has been marked as a duplicate of this bug. ***
Stable on SPARC.
Ready to release, as a GLSA update
Security please review GLSA updates ASAP.
GLSA 200506-20 update sent