Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the remote_agent.php
file. This file can be accessed without authentication. This function retrieves the IP address of the client via get_client_addr
and resolves this IP address to the corresponding hostname via gethostbyaddr
. After this, it is verified that an entry within the poller
table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns true
and the client is authorized. This authorization can be bypassed due to the implementation of the get_client_addr
function. The function is defined in the file lib/functions.php
and checks serval $_SERVER
variables to determine the IP address of the client. The variables beginning with HTTP_
can be arbitrarily set by an attacker. Since there is a default entry in the poller
table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header Forwarded-For: <TARGETIP>
. This way the function get_client_addr
returns the IP address of the server running Cacti. The following call to gethostbyaddr
will resolve this IP address to the hostname of the server, which will pass the poller
hostname check because of the default entry. After the authorization of the remote_agent.php
file is bypassed, an attacker can trigger different actions. One of these actions is called polldata
. The called function poll_for_data
retrieves a few request parameters and loads the corresponding poller_item
entries from the database. If the action
of a poller_item
equals POLLER_ACTION_SCRIPT_PHP
, the function proc_open
is used to execute a PHP script. The attacker-controlled parameter $poller_id
is retrieved via the function get_nfilter_request_var
, which allows arbitrary strings. This variable is later inserted into the string passed to proc_open
, which leads to a command injection vulnerability. By e.g. providing the poller_id=;id
the id
command is executed. In order to reach the vulnerable call, the attacker must provide a host_id
and local_data_id
, where the action
of the corresponding poller_item
is set to POLLER_ACTION_SCRIPT_PHP
. Both of these ids (host_id
and local_data_id
) can easily be bruteforced. The only requirement is that a poller_item
with an POLLER_ACTION_SCRIPT_PHP
action exists. This is very likely on a productive instance because this action is added by some predefined templates like Device - Uptime
or Device - Polling Time
.
This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a poller_item
with the action
type POLLER_ACTION_SCRIPT_PHP
(2
) is configured. The authorization bypass should be prevented by not allowing an attacker to make get_client_addr
(file lib/functions.php
) return an arbitrary IP address. This could be done by not honoring the HTTP_...
$_SERVER
variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with 1.2.23
being the first release containing the patch.
Weakness
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Affected Software
Name |
Vendor |
Start Version |
End Version |
Cacti |
Cacti |
* |
1.2.23 (excluding) |
Cacti |
Ubuntu |
bionic |
* |
Cacti |
Ubuntu |
kinetic |
* |
Cacti |
Ubuntu |
lunar |
* |
Cacti |
Ubuntu |
mantic |
* |
Cacti |
Ubuntu |
trusty |
* |
Cacti |
Ubuntu |
xenial |
* |
Extended Description
This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.
There are at least two subtypes of OS command injection:
From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input.
Potential Mitigations
- Run the code in a “jail” or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
- OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
- If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
- Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments.
- Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When constructing OS command strings, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping.
- Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like “;” and “>” characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components.
- Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
- In the context of OS Command Injection, error information passed back to the user might reveal whether an OS command is being executed and possibly which command is being used.
References