Rapid7 Vulnerability & Exploit Database

Cacti 1.2.22 unauthenticated command injection

Back to Search

Cacti 1.2.22 unauthenticated command injection

Disclosed
12/05/2022
Created
01/24/2023

Description

This module exploits an unauthenticated command injection vulnerability in Cacti through 1.2.22 (CVE-2022-46169) in order to achieve unauthenticated remote code execution as the www-data user. The module first attempts to obtain the Cacti version to see if the target is affected. If LOCAL_DATA_ID and/or HOST_ID are not set, the module will try to bruteforce the missing value(s). If a valid combination is found, the module will use these to attempt exploitation. If LOCAL_DATA_ID and/or HOST_ID are both set, the module will immediately attempt exploitation. During exploitation, the module sends a GET request to /remote_agent.php with the action parameter set to polldata and the X-Forwarded-For header set to the provided value for X_FORWARDED_FOR_IP (by default 127.0.0.1). In addition, the poller_id parameter is set to the payload and the host_id and local_data_id parameters are set to the bruteforced or provided values. If X_FORWARDED_FOR_IP is set to an address that is resolvable to a hostname in the poller table, and the local_data_id and host_id values are vulnerable, the payload set for poller_id will be executed by the target. This module has been successfully tested against Cacti version 1.2.22 running on Ubuntu 21.10 (vulhub docker image)

Author(s)

  • Stefan Schiller
  • Steven Seeley
  • Owen Gong
  • Erik Wynter

Platform

Linux,Unix

Architectures

cmd, x86, x64

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/http/cacti_unauthenticated_cmd_injection
msf exploit(cacti_unauthenticated_cmd_injection) > show targets
    ...targets...
msf exploit(cacti_unauthenticated_cmd_injection) > set TARGET < target-id >
msf exploit(cacti_unauthenticated_cmd_injection) > show options
    ...show and set options...
msf exploit(cacti_unauthenticated_cmd_injection) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;