Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- Cacti is an open source monitoring solution used by many different companies. They found this initially by scanning for bugs with their tool.
- The application is written in PHP. At the very beginning of the app, an authorization check is performed. If the IP address corresponds to a hostname in a table, then it will allow the user to make the request. Otherwise, it will deny it.
- While trying to figure out the IP, many user controlled headers are able to influence this request. A plethora of headers like
HTTP_X_FORWARDEDcan be used to control the IP. Since the IP is used by authentication purposes, this is a complete authentication bypass. - Using their tool, there appeared to be a command injection vulnerability within the user provided
poller_idparameter for the bad syncproc_open. This creates a fairly trivial command injection vulnerability that can be used to get code execution. - The first mitigation was to make the headers being accepted configurable but off by default. This is helpful for situations where this is behind a reverse proxy. For the command injection,
cacti_escapeshellargwas used on the variable in two separate places to prevent a regression from occurring. - Overall, their tool seems impressive! They keep reporting high impact issues like this one. Secondly, trusting headers that are user controlled for sensitive operations is a common problem. Good find!
