Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 542985 - (CVE-2009-4112) CVE-2009-4112 Cacti: Privilege escalation under certain conditions
CVE-2009-4112 Cacti: Privilege escalation under certain conditions
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://archives.neohapsis.com/archive...
impact=low,source=osssecurity,reporte...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-01 06:54 EST by Jan Lieskovsky
Modified: 2010-06-29 05:08 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-29 04:11:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jan Lieskovsky 2009-12-01 06:54:09 EST 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4112
to the following vulnerability:

Cacti 0.8.7e and earlier allows remote authenticated administrators to
gain privileges by modifying the "Data Input Method" for the "Linux -
Get Memory Usage" setting to contain arbitrary commands.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4112
http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0292.html
http://www.securityfocus.com/bid/37137

More issue details from the full-disclosure post by Moritz Naumann:
-------------------------------------------------------------------

5. Priviledge escalation

Finally, due to the permissive way the web interface allows
Cacti to be configured, a cacti administrator is also able
to execute arbitrary commands on the system as the user the
Cacti polling mechanism runs as (usually a non-priviledged user).

For example, it is possible to successfully spawn (and connect to)
a backdoor/remote shell on the Cacti system by changing the "Data
Input Method" for "Linux - Get Memory Usage". Setting "Input String"
to 
  nohup nc -l -p 6666 -n -e /bin/sh &

would spawn a remotely accessible shell whenever this handler was
called (every couple of minutes by default on my Debian test system).

Cacti developers say:
> There is no effective way to fix the data input method without
> breaking Cacti. It will be reviewed for the release of 0.8.8.

Upstream patch:
---------------
No upstream patch yet.
Comment 1 Mike McGrath 2009-12-02 13:20:28 EST 
what version of nc has a valid -e?
Comment 2 Tomas Hoger 2010-06-29 04:11:41 EDT 
(In reply to comment #1)
> what version of nc has a valid -e?    

Some Debian version, or nmap's netcat implementation - ncat.

However, I'm closing this bug.  It is expected that cacti administrator is able to define new Data Input Methods that can be either SNMP query or command that is run with privileges of cacti user.  So this "flaw" does not bypass any intended restriction.  It seems upstream has no intention to add additional restrictions on Data Input Methods commands in the maintenance releases for current cacti version.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.