Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Bonsai Information Security - OS Command Injection in Cacti <= 0.8.7e
From: Alberto Trivero <a.trivero () secdiscover com>
Date: Thu, 6 May 2010 23:18:06 +0200

Misunderstanding clarified: two different vulns. ;)

Alberto Trivero


Il giorno 22/apr/10, alle ore 22:25, Alberto Trivero ha scritto:

In what should differ the vulnerability you discovered from the one  
I've published nearly FIVE years ago?

http://osvdb.org/show/osvdb/17539

It would be nice if you share some more details.
As is, it sounds like a copy to me.

Greetings.

Alberto Trivero



Il giorno 22/apr/10, alle ore 04:45, Bonsai Information Security  
Advisories ha scritto:

OS Command Injection in Cacti
=============================
http://www.bonsai-sec.com/en/research/vulnerability.php
=============================


1. Advisory Information

Advisory ID: BONSAI-2010-0105
Date published: 2010-04-21
Vendors contacted: Cacti
Release mode: Coordinated release


2. Vulnerability Information

Class: Injection
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: To be Defined


3. Software Description

Cacti is a complete network graphing solution designed to harness the
power of RRDTool's data storage and graphing functionality. Cacti
provides a fast poller, advanced graph templating, multiple data
acquisition methods, and user management features out of the box.  
All of
this is wrapped in an intuitive, easy to use interface that makes  
sense
for LAN-sized installations up to complex networks with hundreds of
devices [0]


4. Vulnerability Description

Injection flaws, such as SQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or  
query.
The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing unauthorized data.

For additional information please read [1] (A1 - Injection)


5. Vulnerable packages

Version <= 0.8.7e


6. Non-vulnerable packages

New version is not available. In order to mitigate the OS Command
Injection, the administrators of Cacti should trust the user who  
has the
privileges to access to the vulnerable parts of the application. New
point release of Cacti would resolve this specific issue.


7. Credits

This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-
bonsai-sec.com ).


8. Technical Description

8.1 OS Command Injection

CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

Cacti is prone to a remote command execution vulnerability because  
the
software fails to adequately sanitize user-suplied input. Successful
attacks can compromise the affected software and possibly the  
operating
system running Cacti.

The vulnerability can be triggered by any user doing:

1) Edit or Create a Device with FQDN  
‘NotARealIPAddress;CMD;’ (without
single quotes) and Save it. Edit the Device again and reload any data
query already created. CMD will be executed with Web Server rights.

2) Edit or Create a Graph Template and use as Vertical Label
‘BonsaiSecLabel";CMD; "’ (without single quotes) and Save it. Go to
Graph Management section and Select it. CMD will be executed with Web
Server rights. Note that other properties of a Graph Template might  
also
be affected.


9. Report Timeline

2010-04-03:
Vulnerabilities were identified.
2010-04-06:
Vendor Contacted
2010-04-17:
Vendor released a mitigation plan
2010-04-21:
The advisory BONSAI-2010-0105 is published.


10. References

[0] http://www.cacti.net/

[1] http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project


11. About Bonsai

Bonsai is a company involved in providing professional computer
information security services. Currently a sound growth company,  
since
its foundation in early 2009 in Buenos Aires, Argentina, we are fully
committed to quality service, and focused on our customers real  
needs.


12. Disclaimer

The contents of this advisory are copyright (c) 2010 Bonsai  
Information
Security, and may be distributed freely provided that no fee is  
charged
for this distribution and proper credit is given.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Re: Bonsai Information Security - OS Command Injection in Cacti <= 0.8.7e Alberto Trivero (May 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault