Skip to content

RCE vulnerability can be executed via Log Poisoning

High
netniV published GHSA-gxq4-mv8h-6qj4 Oct 7, 2024

Package

No package listed

Affected versions

1.2.27

Patched versions

1.2.28

Description

Summary

Admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE.

Details

The admin user can create a device with a malicious hostname as seen in the screenshot below.

image

The Log level can be any one of the following options, DEVEL,DEBUG,HIGH,MEDIUM,LOW and the log destionation should contain Logfile (Logfile only or Logfile and Syslog/Eventlog ) as seen in the screenshot below.

image

Furthermore, the admin can repeat the step 5 of the installation process by going to the following URL as seen in the screenshot below. During step 5 of the installation process, Cacti Log Path can be changed to the following php file as seen in the screenshot below.

URL: http://cacti_ip/cacti/install/install.php?data={"Step":"5","Eula":true}

File: /var/www/html/cacti/scripts/ss_host_cpu.php

NOTE: There is one other place in the application that lets the admin users change the Cacti Log Path, however it does not allow files with the .php extension to be used as Cacti Log path. The field in the installation process, however, does not complain about the files with the .php extension.

Warning: Do not forget to backup the php file as it will be overwritten.

image

www-data OS user that is running the web application has read/write/execute privileges on the aforementioned file along with the files below (any one of these files can be used as the log file to be poisoned).

/var/www/html/cacti/scripts/ss_webseer.php
/var/www/html/cacti/scripts/ss_host_cpu.php
/var/www/html/cacti/scripts/ss_gexport.php
/var/www/html/cacti/scripts/ss_hstats.php
/var/www/html/cacti/scripts/ss_host_disk.php
/var/www/html/cacti/scripts/ss_cpoller.php

image

Note that a new file name can also be entered as the Cacti log path and it will be created by the application as seen in the screenshots below.

image

image

After completing the step 5 of the installation process (completing only step 5 is enough, no need to complete the steps before or after it), Logs tab in the web UI shows the new file name as the log file path as seen in the screenshot below.

image

Moreoever, purging the logs as seen in the screenshot below to get rid of installation related logs is necessary since they, for some reason, break the RCE process.

image

After purging the logs, the admin user can go to the devices tab (under Management tab) and clicks on the malicious device name (device desription) to have the device's hostname end up in the logs as seen in the screenshots below.

image

image

image

Finally, simply going to the following URL executes id command (or any other command).

URL: http://cacti_ip/cacti/scripts/ss_host_cpu.php?cmd2=id

image

PoC

Warning: Do not forget to backup the php file as it will be overwritten.

  • Create a device with malicious hostname as described the in the details section.
  • Change the log destination and log level if needed as described the in the details section.
  • Repeat the installation procedure to use the php file path as the Cacti log path as described the in the details section.
  • Purge the logs as described the in the details section.
  • Poison the logs by visiting the malicious device details as described the in the details section.
  • Finally, visit the log file URL and add cmd2= as the query string as described the in the details section.

Impact

Remote Code Execution.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2024-43363

Weaknesses

No CWEs

Credits