I. OVERVIEW
Discoverer: Chi Tran
Vendor & Product: Cacti | Network Monitoring Tool
Version: 1.2.8 and prior
CVE Reference: CVE-2020-7237
II. ABOUT CACTI
- Cacti is a complete front-end to RRDTool, it stores all of the necessary information to create graphs and populate them with data in a MySQL database. The frontend is completely PHP driven. Along with being able to maintain Graphs, Data Sources, and Round Robin Archives in a database, cacti handles the data gathering. There is also SNMP support for those used to creating traffic graphs with MRTG.
III. VULNERABILITY DETAILS
- Cacti allows authenticated users to set up On-deman RRD Update Settings and uses Boost Debug Log as a path for poller process output.
- My approach was trying to supply a dummy string which contained all types of characters (upper/lower cases, number, special characters). Watching cacti log after saving the path, I observed that the dummy string went through every time new poller process begins.
- i.e: Boost Debug Log = “abc /etc/passwd” .
- a blank file named “abc” was created .
- another file named “/etc/passwd” was created with a notification that “/etc/passwd” was not a valid argument.
- poller_automation.php file was handling this dummy string.
- My thoughts at this point were around 2 things:
- poller_automation.php contains something that I could use to bypass the arguments requirements.
- thinking about a special crafted payload
- i.e: Boost Debug Log = “abc /etc/passwd” .
- Tracing poller process workflow, I observed that every time new poller process begins, it calls several PHP scripts:
- From the log, I am sure that these php scripts got called by:
- <path_PHP> <automation scripts> [-arguments]
- Digging into poller_automation.php, a code block specifies several valid arguments that need to be passed into the scripts when it gets run.
- Hence, if we pass into the field one of these arguments followed by OS commands, we will be able to gain Remote Code Execution.
IV. IMPACT
- Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
V. REMEDIATION
VI. REPORT TIMELINE
- 01/17/ 2020: Discovered the vulnerability
- 01/18/2020: Vendor confirmed and released a fix
- 01/19/2020: CVE ID assigned (CVE-2020-7237)