Cacti 1.2.22 unauthenticated command injection

Description

This module exploits an unauthenticated command injection vulnerability in Cacti through 1.2.22 (CVE-2022-46169) in order to achieve unauthenticated remote code execution as the www-data user. The module first attempts to obtain the Cacti version to see if the target is affected. If LOCAL_DATA_ID and/or HOST_ID are not set, the module will try to bruteforce the missing value(s). If a valid combination is found, the module will use these to attempt exploitation. If LOCAL_DATA_ID and/or HOST_ID are both set, the module will immediately attempt exploitation. During exploitation, the module sends a GET request to /remote_agent.php with the action parameter set to polldata and the X-Forwarded-For header set to the provided value for X_FORWARDED_FOR_IP (by default 127.0.0.1). In addition, the poller_id parameter is set to the payload and the host_id and local_data_id parameters are set to the bruteforced or provided values. If X_FORWARDED_FOR_IP is set to an address that is resolvable to a hostname in the poller table, and the local_data_id and host_id values are vulnerable, the payload set for poller_id will be executed by the target. This module has been successfully tested against Cacti version 1.2.22 running on Ubuntu 21.10 (vulhub docker image)

Author(s)

• Stefan Schiller
• Steven Seeley
• Owen Gong
• Erik Wynter

Platform

Linux,Unix

Architectures

cmd, x86, x64