Bug 542985 (CVE-2009-4112) - CVE-2009-4112 Cacti: Privilege escalation under certain conditions
Summary: CVE-2009-4112 Cacti: Privilege escalation under certain conditions
Status: CLOSED NOTABUG
Alias: CVE-2009-4112
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://archives.neohapsis.com/archive...
Whiteboard: impact=low,source=osssecurity,reporte...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-01 11:54 UTC by Jan Lieskovsky
Modified: 2019-06-08 12:52 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2010-06-29 08:11:41 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2009-12-01 11:54:09 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4112
to the following vulnerability:

Cacti 0.8.7e and earlier allows remote authenticated administrators to
gain privileges by modifying the "Data Input Method" for the "Linux -
Get Memory Usage" setting to contain arbitrary commands.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4112
http://archives.neohapsis.com/archives/fulldisclosure/2009-11/0292.html
http://www.securityfocus.com/bid/37137

More issue details from the full-disclosure post by Moritz Naumann:
-------------------------------------------------------------------

5. Priviledge escalation

Finally, due to the permissive way the web interface allows
Cacti to be configured, a cacti administrator is also able
to execute arbitrary commands on the system as the user the
Cacti polling mechanism runs as (usually a non-priviledged user).

For example, it is possible to successfully spawn (and connect to)
a backdoor/remote shell on the Cacti system by changing the "Data
Input Method" for "Linux - Get Memory Usage". Setting "Input String"
to 
  nohup nc -l -p 6666 -n -e /bin/sh &

would spawn a remotely accessible shell whenever this handler was
called (every couple of minutes by default on my Debian test system).

Cacti developers say:
> There is no effective way to fix the data input method without
> breaking Cacti. It will be reviewed for the release of 0.8.8.

Upstream patch:
---------------
No upstream patch yet.

Comment 1 Mike McGrath 2009-12-02 18:20:28 UTC
what version of nc has a valid -e?

Comment 2 Tomas Hoger 2010-06-29 08:11:41 UTC
(In reply to comment #1)
> what version of nc has a valid -e?    

Some Debian version, or nmap's netcat implementation - ncat.

However, I'm closing this bug.  It is expected that cacti administrator is able to define new Data Input Methods that can be either SNMP query or command that is run with privileges of cacti user.  So this "flaw" does not bypass any intended restriction.  It seems upstream has no intention to add additional restrictions on Data Input Methods commands in the maintenance releases for current cacti version.


Note You need to log in before you can comment on or make changes to this bug.