SA23528: cacti: "cmd.php" Command Execution and SQL Injection

Debian Bug report logs - #404818
SA23528: cacti: "cmd.php" Command Execution and SQL Injection

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alex de Oliveira Silva <enerv@host.sk>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: SA23528: cacti: "cmd.php" Command Execution and SQL Injection

Date: Thu, 28 Dec 2006 09:27:17 -0300

Package: cacti
Version: 0.8.6i-2
Severity: important
Tags: security

rgod has discovered three vulnerabilities in Cacti, which can be exploited by malicious people to bypass certain security restrictions, manipulate data and 
compromise vulnerable systems.

1) The cmd.php script does not properly restrict access to command line usage and is installed in a web-accessible location.

Successful exploitation requires that "register_argc_argv" is enabled.

2) Input passed in the URL to cmd.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting 
arbitrary SQL code.

Successful exploitation requires that "register_argc_argv" is enabled.

3) The results from the SQL queries in 2) in cmd.php are not properly sanitised before being used as shell commands. This can be exploited to inject arbitrary 
shell commands.

The vulnerabilities are confirmed in version 0.8.6i. Other versions may also be affected.

Solution:
Move the "cmd.php" script to a not web-accessible path, and update other scripts accordingly.

Edit the source code to ensure that input is properly sanitised.

http://secunia.com/advisories/23528/


Regards,
--
   .''`.  
  : :' :    Alex de Oliveira Silva | enerv
  `. `'     www.enerv.net
    `- 

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-486
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)

Message #10 received at 404818@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Alex de Oliveira Silva <enerv@host.sk>, 404818@bugs.debian.org

Cc: control <control@bugs.debian.org>

Subject: Re: Bug#404818: SA23528: cacti: "cmd.php" Command Execution and SQL Injection

Date: Thu, 28 Dec 2006 14:38:38 -0800

[Message part 1 (text/plain, inline)]

tags 404818 help
thanks

hi,

these are probably all relevant to the cacti in etch/sid, and probably
sarge too.  it's been too far down on my priority queue to talk to
upstream about this but i've suspected such problems for a while,
because the design is one of those "everything in the web dir" which has
exactly these kinds of problems with it.

anyway, i could use some help preparing an update for this, i almost
certainly won't have time between now and new years, more likely until
some time in the middle of january.


	sean

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 404818@bugs.debian.org (full text, mbox, reply):

From: Edward Shornock <debbugs@crazeecanuck.homelinux.net>

To: Debian Bug Tracking System <404818@bugs.debian.org>

Subject: cacti: serious bug

Date: Mon, 8 Jan 2007 04:34:08 -0500

[Message part 1 (text/plain, inline)]

Package: cacti
Followup-For: Bug #404818
severity 404818 critical
tags 404818 + security sarge etch sid 

An associate of mine was bit by this problem and his box was rooted.
According to the secunia site (http://secunia.com/advisories/23528),
this problem has been fixed in SVN rev#3828, but cmd.php and copy_cacti_user.php
still exist in the same locations as before. I wonder why those two
files aren't moved out of the web-accessible directory upstream.






-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (600, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.19-beyond2-p4
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 404818@bugs.debian.org (full text, mbox, reply):

From: Edward Shornock <debbugs@crazeecanuck.homelinux.net>

To: Debian Bug Tracking System <404818@bugs.debian.org>

Subject: Re: Bug#404818: SA23528: cacti: "cmd.php" Command Execution and

Date: Mon, 8 Jan 2007 04:38:55 -0500

[Message part 1 (text/plain, inline)]

SQL Injection
Reply-To: 
X-Reportbug-Version: 3.31
X-Operating-System: Linux darkside 2.6.19-beyond2-p4 

Package: cacti
Followup-For: Bug #404818

I'm not a DD, but I'll try to find some to devote some time to working
on this.


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (600, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.19-beyond2-p4
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 404818@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: CAHEN Fabrice <cahen@lancry.net>

Cc: 404818@bugs.debian.org, team <team@security.debian.org>

Subject: Re: OpenPKG-SA-2007.001

Date: Mon, 08 Jan 2007 14:31:31 -0800

[Message part 1 (text/plain, inline)]

hi fabrice,

On Mon, 2007-01-08 at 22:06 +0100, CAHEN Fabrice wrote:
> Happy new year, and happy new bugs :(

yeah, really...

> See http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.001.html
> for more, but there is a *_serious_* vulnerability in all versions of
> Cacti (cmd.php).
> Is there a fix coming ? or should i find a temporaty solution (eg:
> restrict remote access to cmd.php, and remount the /tmp with the noexec
> option ?)

there's an open bug about this in the debian bts (i'm cc'ing it now). 

my answer is that i'm currently on vacation and don't foresee having the
time to look into this issue for another week or so:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404818

i think for an immediate fix, you should throw together an apache
configuration that restricts remote access to the files in question.  we
have a volunteer in the BR that has stated he'll take a look at digging
up a fix, though i'll prompt some of the debian-security folks to see if
anyone else has enough free time to address this more fully too.

as i stated in the BR, the real fix would be to not have this stuff
web-accessible at all...


	sean

[signature.asc (application/pgp-signature, inline)]

Message #34 received at 404818@bugs.debian.org (full text, mbox, reply):

From: Neil McGovern <neilm@debian.org>

To: 404818@bugs.debian.org, control@bugs.debian.org

Subject: Patch + CVE id

Date: Tue, 9 Jan 2007 00:13:57 +0000

[Message part 1 (text/plain, inline)]

tags 404818 + patch
thanks

This has been assigned CVE id CVE-2006-6799, please mention this in the
changelog.

The attached pacth *should* fix the issue. I don't think it contains
regressions, but I haven't had time to test it.

When uploading, please do so with high urgency.

Many thanks,
Neil
-- 
* Tolimar votes for debconf7 to be somewhere where he speaks the
	language.
<Tolimar> That would a veto for switzerland ;)
<Ganneff> Tolimar: that also vetos germany

[cmd.php.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 404818@bugs.debian.org (full text, mbox, reply):

From: Will Roberts <wpr2@cornell.edu>

To: 404818@bugs.debian.org

Subject: It's not sufficient to patch cmd.php

Date: Tue, 09 Jan 2007 01:03:39 -0500

There are other files that can be exploited under certain conditions. 
This post in the cacti forum has a list of the affected files:
http://forums.cacti.net/post-87558.html#87558

They have also released patches for this, so is there any reason not to 
just use the upstream patches that fix all the vulnerabilities that they 
found?

http://cacti.net/download_patches.php

I apologize if this is out of line, but I too got bitten by this.

--Will

Message #46 received at 404818@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@seanius.net>

To: Will Roberts <wpr2@cornell.edu>, 404818@bugs.debian.org

Subject: Re: Bug#404818: It's not sufficient to patch cmd.php

Date: Mon, 08 Jan 2007 23:08:03 -0800

[Message part 1 (text/plain, inline)]

hey will,

thanks for the additional info.

On Tue, 2007-01-09 at 01:03 -0500, Will Roberts wrote:
> There are other files that can be exploited under certain conditions. 
> This post in the cacti forum has a list of the affected files:
> http://forums.cacti.net/post-87558.html#87558
> 
> They have also released patches for this, so is there any reason not to 
> just use the upstream patches that fix all the vulnerabilities that they 
> found?
> 
> http://cacti.net/download_patches.php
> 
> I apologize if this is out of line, but I too got bitten by this.

i've also seen a report in the cacti upstream BTS that the patches in
question break certain functionality.  could you try applying the
patches and figuring out if there's an obvious fix for it?  the upstream
bug report (about the regression) is:

http://bugs.cacti.net/view.php?id=890

i'll be on vacation for another week or so, so if someone hasn't taken
charge of this by the middle of next week i should be able to get a fix
out.


	sean

[signature.asc (application/pgp-signature, inline)]

Message #51 received at 404818@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: 404818@bugs.debian.org

Cc: team <team@security.debian.org>, control <control@bugs.debian.org>, Alex de Oliveira Silva <enerv@host.sk>, Edward Shornock <debbugs@crazeecanuck.homelinux.net>, CAHEN Fabrice <cahen@lancry.net>, Will Roberts <wpr2@cornell.edu>

Subject: tentative fix pending for CVE-2006-6799

Date: Mon, 15 Jan 2007 15:53:36 +0100

[Message part 1 (text/plain, inline)]

tags 404818 pending
thanks

hi,

finally back from VAC, and i took some time to sit down with the issue
today.  i haven't had the chance to verify that it works, but i have a
tentative fix at:

	http://people.debian.org/~seanius/cacti/sid

which includes the upstream "official" patches, as well as something
pulled out of svn to resolve a regression in said patches.  i'd
appreciate feedback from anyone being affected by this (i.e. anyone).

i won't have the time to test this myself for another 48 hours or so,
but in the meantime i'll be seeing how difficult it is to backport the
relevant patches to the version of cacti in sarge...


	sean

[signature.asc (application/pgp-signature, inline)]

Message #58 received at 404818@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: 404818@bugs.debian.org

Cc: team <team@security.debian.org>

Subject: CVE-2006-6799 (cacti) fix on its way to unstable, sarge fix available, etc

Date: Wed, 17 Jan 2007 07:53:10 +0100

[Message part 1 (text/plain, inline)]

another update:

i've tested the patch provided by upstream, and after grabbing an
additional patch from svn to fix a regression in this patch, things seem
to be good so i've uploaded it to unstable.  thus a fix should be in
cacti version 0.8.6i-3.

as for stable, i've backported the patch and done some testing and i
believe everything should be good in version 0.8.6c-7sarge4, available
at:

http://people.debian.org/~seanius/cacti/sarge/cacti_0.8.6c-7sarge4_all.deb
http://people.debian.org/~seanius/cacti/sarge/cacti_0.8.6c-7sarge4.diff.gz
http://people.debian.org/~seanius/cacti/sarge/cacti_0.8.6c-7sarge4.dsc
http://people.debian.org/~seanius/cacti/sarge/cacti_0.8.6c-7sarge4_i386.changes

and for some text in the DSA, here's the text from mitre.org (with a
slight grammatical fix from yours truly):

---
A SQL injection vulnerability in Cacti 0.8.6i and earlier, when
register_argc_argv is enabled, allows remote attackers to execute
arbitrary SQL commands via the (1) second or (2) third arguments to
cmd.php. NOTE: this issue can be leveraged to execute arbitrary commands
since the SQL query results are later used in the polling_items array
and popen function.
---

security peeps: let me know if you need anything else from me.


	sean

[signature.asc (application/pgp-signature, inline)]

Message #63 received at 404818-close@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: 404818-close@bugs.debian.org

Subject: Bug#404818: fixed in cacti 0.8.6i-3

Date: Wed, 17 Jan 2007 06:47:02 +0000

Source: cacti
Source-Version: 0.8.6i-3

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive:

cacti_0.8.6i-3.diff.gz
  to pool/main/c/cacti/cacti_0.8.6i-3.diff.gz
cacti_0.8.6i-3.dsc
  to pool/main/c/cacti/cacti_0.8.6i-3.dsc
cacti_0.8.6i-3_all.deb
  to pool/main/c/cacti/cacti_0.8.6i-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 404818@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
sean finney <seanius@debian.org> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 15 Jan 2007 15:36:25 +0100
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.6i-3
Distribution: unstable
Urgency: high
Maintainer: sean finney <seanius@debian.org>
Changed-By: sean finney <seanius@debian.org>
Description: 
 cacti      - Frontend to rrdtool for monitoring systems and services
Closes: 404818
Changes: 
 cacti (0.8.6i-3) unstable; urgency=high
 .
   * include the list of official patches from upstream which (among other
     things) resolves multiple vulnerabilities in the poller and default
     scripts (Closes: 404818).  thanks to Alex de Oliveira Silva for reporting
     this, and Neil McGovern for a bit of consultation.
   * security references:
     - SA23528, CVE-2006-6799
   * also include one extra changeset from svn which fixes a regression
     introduced in the security patch.
   * new patches:
     - 07_official_dec06-vulnerability-scripts-0.8.6i.dpatch
     - 07_official_dec06-vulnerability-poller-0.8.6i.dpatch
     - 07_official_poller_output_remainder.dpatch
     - 07_official_import_template_argument_space_removal.dpatch
     - 08_svn_timespan_breakage_fix.dpatch
Files: 
 efcbbb60277d99797ab2beb5853c7dc8 579 web extra cacti_0.8.6i-3.dsc
 abfedc1ef4ef2ad479793a8a5dd6dcc9 33946 web extra cacti_0.8.6i-3.diff.gz
 46548b2cc9db6396ebe98cdca8146343 959172 web extra cacti_0.8.6i-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFrcPcynjLPm522B0RAncbAJ9c5OHyZ52L3SKmieujmAIfAmwV7wCfRFp0
/5OMsRNDol4oTUNUUDYXCD0=
=Eibf
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.