CVE-2022-46169

Cacti Command Injection Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`.

This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.

Cacti es una plataforma de código abierto que proporciona un framework de gestión de fallos y supervisión operativa robusta y extensible para los usuarios. En las versiones afectadas, una vulnerabilidad de inyección de comandos permite a un usuario no autenticado ejecutar código arbitrario en un servidor que ejecuta Cacti, si se seleccionó una fuente de datos específica para cualquier dispositivo monitoreado. La vulnerabilidad reside en el archivo `remote_agent.php`. Se puede acceder a este archivo sin autenticación. Esta función recupera la dirección IP del cliente a través de `get_client_addr` y resuelve esta dirección IP en el nombre de host correspondiente a través de `gethostbyaddr`. Después de esto, se verifica que existe una entrada dentro de la tabla `poller`, donde el nombre de host corresponde al nombre de host resuelto. Si se encuentra dicha entrada, la función devuelve "verdadero" y el cliente está autorizado. Esta autorización se puede omitir debido a la implementación de la función `get_client_addr`. La función se define en el archivo `lib/functions.php` y verifica las variables serval `$_SERVER` para determinar la dirección IP del cliente. Un atacante puede establecer arbitrariamente las variables que comienzan con `HTTP_`. Dado que hay una entrada predeterminada en la tabla `poller` con el nombre de host del servidor que ejecuta Cacti, un atacante puede omitir la autenticación, por ejemplo, proporcionando el encabezado `Forwarded-For: `. De esta forma, la función `get_client_addr` devuelve la dirección IP del servidor que ejecuta Cacti. La siguiente llamada a `gethostbyaddr` resolverá esta dirección IP en el nombre de host del servidor, que pasará la verificación del nombre de host `poller` debido a la entrada predeterminada. Después de omitir la autorización del archivo `remote_agent.php`, un atacante puede desencadenar diferentes acciones. Una de estas acciones se llama "polldata". La función llamada `poll_for_data` recupera algunos parámetros de solicitud y carga las entradas correspondientes de `poller_item` de la base de datos. Si la `acción` de un `poller_item` es igual a `POLLER_ACTION_SCRIPT_PHP`, la función `proc_open` se usa para ejecutar un script PHP. El parámetro controlado por el atacante `$poller_id` se recupera mediante la función `get_nfilter_request_var`, que permite cadenas arbitrarias. Esta variable luego se inserta en la cadena pasada a `proc_open`, lo que genera una vulnerabilidad de inyección de comando. Por ejemplo, al proporcionar `poller_id=;id`, se ejecuta el comando `id`. Para llegar a la llamada vulnerable, el atacante debe proporcionar un `host_id` y un `local_data_id`, donde la `acción` del `poller_item` correspondiente está configurada en `POLLER_ACTION_SCRIPT_PHP`. Ambos identificadores (`host_id` y `local_data_id`) pueden ser fácilmente forzados por fuerza bruta. El único requisito es que exista un `poller_item` con una acción `POLLER_ACTION_SCRIPT_PHP`. Es muy probable que esto ocurra en una instancia productiva porque esta acción se agrega mediante algunas plantillas predefinidas como "Device - Uptime` o "Dispositivo - Polling Time". Esta vulnerabilidad de inyección de comandos permite a un usuario no autenticado ejecutar comandos arbitrarios si se configura un `poller_item` con el tipo `action` `POLLER_ACTION_SCRIPT_PHP` (`2`). La omisión de autorización debe evitarse al no permitir que un atacante haga que `get_client_addr` (archivo `lib/functions.php`) devuelva una dirección IP arbitraria. Esto podría hacerse al no respetar las variables `HTTP_...` `$_SERVER`. Si se deben conservar por razones de compatibilidad, al menos se debe evitar falsificar la dirección IP del servidor que ejecuta Cacti. Esta vulnerabilidad se ha solucionado en las versiones 1.2.x y 1.3.x, siendo `1.2.23` la primera versión que contiene el parche.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cacti. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the poll_for_data function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account.

Cacti version 1.2.22 suffers from a remote command execution vulnerability.

Cacti contains a command injection vulnerability that allows an unauthenticated user to execute code.

*Credits: Steven Seeley (mr_me) of Source Incite

CVSS Scores

NISTv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-11-28 CVE Reserved
2022-12-05 CVE Published
2022-12-05 First Exploit
2023-02-16 Exploited in Wild
2023-03-09 KEV Due Date
2024-08-03 CVE Updated
2024-09-08 EPSS Updated

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-863: Incorrect Authorization

CAPEC

References (32)

URL	Tag	Source
https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169
https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution

URL	Date	SRC
https://www.exploit-db.com/exploits/51166	2023-03-31
https://github.com/0xf4n9x/CVE-2022-46169	2022-12-08
https://github.com/sAsPeCt488/CVE-2022-46169	2023-05-03
https://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.22	2023-09-11
https://github.com/c3rrberu5/CVE-2022-46169	2023-01-16
https://github.com/Inplex-sys/CVE-2022-46169	2023-01-02
https://github.com/taythebot/CVE-2022-46169	2022-12-16
https://github.com/Habib0x0/CVE-2022-46169	2023-01-20
https://github.com/ruycr4ft/CVE-2022-46169	2023-10-11
https://github.com/a1665454764/CVE-2022-46169	2023-08-30
https://github.com/yassinebk/CVE-2022-46169	2023-04-30
https://github.com/imjdl/CVE-2022-46169	2022-12-07
https://github.com/doosec101/CVE-2022-46169	2023-03-21
https://github.com/dawnl3ss/CVE-2022-46169	2023-08-01
https://github.com/BKreisel/CVE-2022-46169	2023-05-04
https://github.com/HPT-Intern-Task-Submission/CVE-2022-46169	2024-06-14
https://github.com/miko550/CVE-2022-46169	2023-02-02
https://github.com/MarkStrendin/CVE-2022-46169	2023-05-03
https://github.com/mind2hex/CVE-2022-46169	2024-03-28
https://github.com/icebreack/CVE-2022-46169	2023-04-13
https://github.com/0xN7y/CVE-2022-46169	2023-12-07
https://github.com/devilgothies/CVE-2022-46169	2023-04-29
https://github.com/antisecc/CVE-2022-46169	2023-05-21
https://github.com/Safarchand/CVE-2022-46169	2023-05-02
https://github.com/0xZon/CVE-2022-46169-Exploit	2023-09-10
https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf	2024-08-03
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb	2022-12-05

URL	Date	SRC
https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216	2024-06-28
https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9	2024-06-28
https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b	2024-06-28

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cacti Search vendor "Cacti"		Cacti Search vendor "Cacti" for product "Cacti"				< 1.2.23 Search vendor "Cacti" for product "Cacti" and version " < 1.2.23"		-		Affected