module
Cacti 1.2.22 unauthenticated command injection
| Disclosed | Created |
|---|---|
| 12/05/2022 | 01/24/2023 |
Disclosed
12/05/2022
Created
01/24/2023
Description
This module exploits an unauthenticated command injection
vulnerability in Cacti through 1.2.22 (CVE-2022-46169) in
order to achieve unauthenticated remote code execution as the
www-data user.
The module first attempts to obtain the Cacti version to see
if the target is affected. If LOCAL_DATA_ID and/or HOST_ID
are not set, the module will try to bruteforce the missing
value(s). If a valid combination is found, the module will
use these to attempt exploitation. If LOCAL_DATA_ID and/or
HOST_ID are both set, the module will immediately attempt
exploitation.
During exploitation, the module sends a GET request to
/remote_agent.php with the action parameter set to polldata
and the X-Forwarded-For header set to the provided value for
X_FORWARDED_FOR_IP (by default 127.0.0.1). In addition, the
poller_id parameter is set to the payload and the host_id
and local_data_id parameters are set to the bruteforced or
provided values. If X_FORWARDED_FOR_IP is set to an address
that is resolvable to a hostname in the poller table, and the
local_data_id and host_id values are vulnerable, the payload
set for poller_id will be executed by the target.
This module has been successfully tested against Cacti
version 1.2.22 running on Ubuntu 21.10 (vulhub docker image)
vulnerability in Cacti through 1.2.22 (CVE-2022-46169) in
order to achieve unauthenticated remote code execution as the
www-data user.
The module first attempts to obtain the Cacti version to see
if the target is affected. If LOCAL_DATA_ID and/or HOST_ID
are not set, the module will try to bruteforce the missing
value(s). If a valid combination is found, the module will
use these to attempt exploitation. If LOCAL_DATA_ID and/or
HOST_ID are both set, the module will immediately attempt
exploitation.
During exploitation, the module sends a GET request to
/remote_agent.php with the action parameter set to polldata
and the X-Forwarded-For header set to the provided value for
X_FORWARDED_FOR_IP (by default 127.0.0.1). In addition, the
poller_id parameter is set to the payload and the host_id
and local_data_id parameters are set to the bruteforced or
provided values. If X_FORWARDED_FOR_IP is set to an address
that is resolvable to a hostname in the poller table, and the
local_data_id and host_id values are vulnerable, the payload
set for poller_id will be executed by the target.
This module has been successfully tested against Cacti
version 1.2.22 running on Ubuntu 21.10 (vulhub docker image)
Authors
Stefan SchillerSteven SeeleyOwen GongErik Wynter
Platform
Linux,Unix
Architectures
cmd, x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/linux/http/cacti_unauthenticated_cmd_injection
msf /(n) > show actions
...actions...
msf /(n) > set ACTION < action-name >
msf /(n) > show options
...show and set options...
msf /(n) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.