Headline
Cacti 1.2.26 Remote Code Execution
Cacti versions 1.2.26 and below suffer from a remote code execution execution vulnerability in import.php.
----------------------------------------------------------------Cacti <= 1.2.26 (import.php) Remote Code Execution Vulnerability----------------------------------------------------------------[-] Software Link:https://cacti.net[-] Affected Versions:Version 1.2.26 and prior versions.[-] Vulnerability Description:The vulnerability is located within the "import_package()" functiondefined into the /lib/import.php script. This function blindly truststhe filename and file content provided within the uploaded XML data,and writes such files into the Cacti base path (or even outside, sincePath Traversal sequences are not filtered). This can be exploited towrite or overwrite arbitrary files on the web server, leading toexecution of arbitrary PHP code or other security impacts.Successful exploitation of this vulnerability requires an user accounthaving the "Import Templates" permission.[-] Solution:Upgrade to version 1.2.27 or later.[-] Disclosure Timeline:[17/01/2024] - Vendor notified through GitHub[12/05/2024] - Version 1.2.27 released[13/05/2024] - Publication of this advisory[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org) hasassigned the name CVE-2024-25641 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Other References:https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88[-] Original Advisory:https://karmainsecurity.com/KIS-2024-04Related news
Ubuntu Security Notice 6969-1 - It was discovered that Cacti did not properly apply checks to the "Package Import" feature. An attacker could possibly use this issue to perform arbitrary code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. It was discovered that Cacti did not properly sanitize values when using javascript based API. A remote attacker could possibly use this issue to inject arbitrary javascript code resulting into cross-site scripting vulnerability. This issue only affected Ubuntu 24.04 LTS.
This exploit module leverages an arbitrary file write vulnerability in Cacti versions prior to 1.2.27 to achieve remote code execution. It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file. Cacti will extract this file to an accessible location. The module finally triggers the payload to execute arbitrary PHP code in the context of the user running the web server. Authentication is needed and the account must have access to the Import Packages feature. This is granted by setting the Import Templates permission in the Template Editor section.