Full Disclosure mailing list archives
Re: Bonsai Information Security - OS Command Injection in Cacti <= 0.8.7e
From: Alberto Trivero <a.trivero () secdiscover com>
Date: Thu, 6 May 2010 23:18:06 +0200
Misunderstanding clarified: two different vulns. ;) Alberto Trivero Il giorno 22/apr/10, alle ore 22:25, Alberto Trivero ha scritto:
In what should differ the vulnerability you discovered from the one I've published nearly FIVE years ago? http://osvdb.org/show/osvdb/17539 It would be nice if you share some more details. As is, it sounds like a copy to me. Greetings. Alberto Trivero Il giorno 22/apr/10, alle ore 04:45, Bonsai Information Security Advisories ha scritto:OS Command Injection in Cacti ============================= http://www.bonsai-sec.com/en/research/vulnerability.php ============================= 1. Advisory Information Advisory ID: BONSAI-2010-0105 Date published: 2010-04-21 Vendors contacted: Cacti Release mode: Coordinated release 2. Vulnerability Information Class: Injection Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: To be Defined 3. Software Description Cacti is a complete network graphing solution designed to harness the power of RRDTool's data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices [0] 4. Vulnerability Description Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. For additional information please read [1] (A1 - Injection) 5. Vulnerable packages Version <= 0.8.7e 6. Non-vulnerable packages New version is not available. In order to mitigate the OS Command Injection, the administrators of Cacti should trust the user who has the privileges to access to the vulnerable parts of the application. New point release of Cacti would resolve this specific issue. 7. Credits This vulnerability was discovered by Nahuel Grisolia ( nahuel -at- bonsai-sec.com ). 8. Technical Description 8.1 OS Command Injection CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Cacti is prone to a remote command execution vulnerability because the software fails to adequately sanitize user-suplied input. Successful attacks can compromise the affected software and possibly the operating system running Cacti. The vulnerability can be triggered by any user doing: 1) Edit or Create a Device with FQDN ‘NotARealIPAddress;CMD;’ (without single quotes) and Save it. Edit the Device again and reload any data query already created. CMD will be executed with Web Server rights. 2) Edit or Create a Graph Template and use as Vertical Label ‘BonsaiSecLabel";CMD; "’ (without single quotes) and Save it. Go to Graph Management section and Select it. CMD will be executed with Web Server rights. Note that other properties of a Graph Template might also be affected. 9. Report Timeline 2010-04-03: Vulnerabilities were identified. 2010-04-06: Vendor Contacted 2010-04-17: Vendor released a mitigation plan 2010-04-21: The advisory BONSAI-2010-0105 is published. 10. References [0] http://www.cacti.net/ [1] http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 11. About Bonsai Bonsai is a company involved in providing professional computer information security services. Currently a sound growth company, since its foundation in early 2009 in Buenos Aires, Argentina, we are fully committed to quality service, and focused on our customers real needs. 12. Disclaimer The contents of this advisory are copyright (c) 2010 Bonsai Information Security, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Bonsai Information Security - OS Command Injection in Cacti <= 0.8.7e Alberto Trivero (May 06)