Skip to content

SQL Injection vulnerability when managing SNMP Notification Receivers

High
netniV published GHSA-w85f-7c4w-7594 Dec 20, 2023

Package

Cacti

Affected versions

1.2.25

Patched versions

None

Description

Summary

There is a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file ‘managers.php’.
An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint ‘/cacti/managers.php’ with an SQLi payload in the ‘selected_graphs_array’ HTTP GET parameter.

Details

The vulnerability occurs in the function ‘form_actions’ in the file ‘managers.php’.
image
Passing the ‘selected_items’ and ‘action_receivers’ HTTP parameters (1. and 2.) allows access to the dangerous statement (3.), which performs deserialization of the provided value.

The function ‘get_nfilter_request_var’ performs no sanitization, as shown by the description of the function from a comment above its definition, it “returns the value of the request variable deferring any filtering”. Similarly, ‘stripslashes’ simply removes any backslashes from the input that are escaping quotes, and so also does not perform meaningful sanitization.

The ‘cacti_unserialize’ function makes use of the ‘allowed_classes’ argument to remove any vectors for PHP Object Injection, but does not otherwise perform any sanitization on the deserialized value.
image
Passing a value in the parameter ‘selected_graphs_array’ that will deserialize allows entering the subsequent conditional block. Passing a value of 1,2, or 3 in the parameter ‘drp_action’ (4.) allows entering a block in which raw SQL queries are constructed, and subsequently executed on the database via ‘db_execute’. In each of these blocks SQLi is possible.

The array ‘$selected_items’ is imploded (joined) and then directly concatenated into the SQL query.

Therefore, to exploit this, an attacker could send a serialized array containing a string with a SQLi payload, which would be:

  • deserialized to an in-memory array,
  • joined into a single string,
  • concatenated into a raw SQL query,
  • executed on the database.

PoC

The vulnerability may be triggered by signing into a low privilege account that has the “Settings/Utilities” permission and making an HTTP GET request to the endpoint ‘/cacti/managers.php’. The screenshot below shows reproduction in BurpSuite.
Note that it is required there is at least 1 row in the affected tables for the injection to trigger. Testing data can be added through the user interface on the endpoint ‘/cacti/managers.php’.
image
A PoC script that uses the injection to demonstrate a legitimate attack via this vector can be provided to the Cacti maintainers upon request.

Impact

Using a time-based blind SQLi technique the attacker can disclose Cacti database contents, and depending on database configuration, may be able to achieve further impacts such as arbitrary file read, or even potentially remote code execution via arbitrary file write.

Credit

Credit for discover goes to Synopsys CyRC researcher Matthew Hogg

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-51448

Weaknesses

Credits