Summary
Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability.
Details
In cacti_snmp_walk() cacti uses exec_into_array() to execute commands and read results with multiple lines as an array, After that the following code will be used to parse those lines by check for an equal sign and assigning the left size of it as the oid and the right side as its value. These parsed OIDs will be added to the final result. In the process the values will be filtered but not the OIDs.
If the line being parsed did not contain an OID (checked by the regex) then it will this line, without filtering, to the value of the previous OID.
ss_net_snmp_disk_io() requests three OIDs using snmpwalk, then stores is in two variables $names and $iops. The last part of each OID from $names will be added to an array named $indexes.
|
$parts = explode('.', $measure['oid']); |
|
$indexes[$parts[cacti_sizeof($parts)-1]] = $parts[cacti_sizeof($parts)-1]; |
Another snmpwalk request will be made and cacti will check if the last part of each OID from this request is in $indexes , if it is, then the value of this OID will be added to an array named $current.
|
$current["dr$index"] = $measure['value']; |
current will be json encoded and added to a shell command. Before passing the json string to a shell, cacti will quote this data using single quotes, but this can be easily broken.
|
$data = "'" . json_encode($current) . "'"; |
|
shell_exec("echo $data > $tmpdir/$tmpfile"); |
PoC
- Start an snmp agent to send the payload.
- Change 'Local Linux Machine' device port to your agent port.
- Add "Net-SNMP - Combined SCSI Disk I/O " to the device graph templates, if its not already.
- Go to graph tree and select Local Linux Machine.
- Click "view in realtime" in 'Combine SCSI disk I/O' graph.
Impact
This vulnerability can allows authenticated users with device management permissions to execute code in the server, and steal, edit, or delete sensitive data.
u32i Finder
TheWitness Remediation developer
netniV Coordinator
Summary
Due to a flaw in multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response. When processed by
ss_net_snmp_disk_io()orss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability.Details
In
cacti_snmp_walk()cacti usesexec_into_array()to execute commands and read results with multiple lines as an array, After that the following code will be used to parse those lines by check for an equal sign and assigning the left size of it as the oid and the right side as its value. These parsed OIDs will be added to the final result. In the process the values will be filtered but not the OIDs.If the line being parsed did not contain an OID (checked by the regex) then it will this line, without filtering, to the value of the previous OID.
ss_net_snmp_disk_io()requests three OIDs using snmpwalk, then stores is in two variables$namesand$iops. The last part of each OID from$nameswill be added to an array named$indexes.cacti/scripts/ss_net_snmp_disk_io.php
Lines 125 to 126 in 9c34682
Another
snmpwalkrequest will be made and cacti will check if the last part of each OID from this request is in$indexes, if it is, then the value of this OID will be added to an array named$current.cacti/scripts/ss_net_snmp_disk_io.php
Line 175 in 9c34682
currentwill be json encoded and added to a shell command. Before passing the json string to a shell, cacti will quote this data using single quotes, but this can be easily broken.cacti/scripts/ss_net_snmp_disk_io.php
Lines 225 to 226 in 9c34682
PoC
Impact
This vulnerability can allows authenticated users with device management permissions to execute code in the server, and steal, edit, or delete sensitive data.