CVE-2022-46169
Description
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the remote_agent.php
file. This file can be accessed without authentication. This function retrieves the IP address of the client via get_client_addr
and resolves this IP address to the corresponding hostname via gethostbyaddr
. After this, it is verified that an entry within the poller
table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns true
and the client is authorized. This authorization can be bypassed due to the implementation of the get_client_addr
function. The function is defined in the file lib/functions.php
and checks serval $_SERVER
variables to determine the IP address of the client. The variables beginning with HTTP_
can be arbitrarily set by an attacker. Since there is a default entry in the poller
table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header Forwarded-For: \<TARGETIP\>
. This way the function get_client_addr
returns the IP address of the server running Cacti. The following call to gethostbyaddr
will resolve this IP address to the hostname of the server, which will pass the poller
hostname check because of the default entry. After the authorization of the remote_agent.php
file is bypassed, an attacker can trigger different actions. One of these actions is called polldata
. The called function poll_for_data
retrieves a few request parameters and loads the corresponding poller_item
entries from the database. If the action
of a poller_item
equals POLLER_ACTION_SCRIPT_PHP
, the function proc_open
is used to execute a PHP script. The attacker-controlled parameter $poller_id
is retrieved via the function get_nfilter_request_var
, which allows arbitrary strings. This variable is later inserted into the string passed to proc_open
, which leads to a command injection vulnerability. By e.g. providing the poller_id\=;id
the id
command is executed. In order to reach the vulnerable call, the attacker must provide a host_id
and local_data_id
, where the action
of the corresponding poller_item
is set to POLLER_ACTION_SCRIPT_PHP
. Both of these ids (host_id
and local_data_id
) can easily be bruteforced. The only requirement is that a poller_item
with an POLLER_ACTION_SCRIPT_PHP
action exists. This is very likely on a productive instance because this action is added by some predefined templates like Device - Uptime
or Device - Polling Time
.
This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a poller_item
with the action
type POLLER_ACTION_SCRIPT_PHP
(2
) is configured. The authorization bypass should be prevented by not allowing an attacker to make get_client_addr
(file lib/functions.php
) return an arbitrary IP address. This could be done by not honoring the HTTP_...
$_SERVER
variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with 1.2.23
being the first release containing the patch.
Severity: CRITICAL
CVE ID: CVE-2022-46169
CVSS Score: 9.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Proof Of Concept
Nuclei Templates for CVE-2022-46169
Refrence: Project Discovery GitHub
imjdl
CVE-2022-46169
Refrence: GitHub
0xf4n9x
CVE-2022-46169 Cacti remote_agent.php Unauthenticated Command Injection.
Refrence: GitHub
taythebot
CVE-2022-46169 - Cacti Blind Remote Code Execution (Pre-Auth)
Refrence: GitHub
Inplex-sys
Cacti Unauthenticated Command Injection
Refrence: GitHub
sAsPeCt488
PoC for CVE-2022-46169 - Unauthenticated RCE on Cacti <= 1.2.22
Refrence: GitHub
botfather0x0
Exploit to CVE-2022-46169 vulnerability
Refrence: GitHub
Habib0x0
Cacti: Unauthenticated Remote Code Execution Exploit in Ruby
Refrence: GitHub
N1arut
RCE POC for CVE-2022-46169
Refrence: GitHub
miko550
Refrence: GitHub
ariyaadinatha
This is poc of CVE-2022-46169 authentication bypass and remote code execution
Refrence: GitHub
doosec101
Repo for CVE-2022-46169
Refrence: GitHub
m3ssap0
WARNING: This is a vulnerable application to test the exploit for the Cacti command injection (CVE-2022-46169). Run it at your own risk!
Refrence: GitHub
devAL3X
Refrence: GitHub
JacobEbben
Unauthenticated Remote Code Execution through authentication bypass and command injection in Cacti < 1.2.23 and < 1.3.0
Refrence: GitHub
icebreack
Fixed exploit for CVE-2022-46169 (originally from https://www.exploit-db.com/exploits/51166)
Refrence: GitHub
devilgothies
PoC for CVE-2022-46169 that affects Cacti 1.2.22 version
Refrence: GitHub
yassinebk
CVE-2022-46169
Refrence: GitHub
ruycr4ft
Exploit for cacti version 1.2.22
Refrence: GitHub
FredBrave
This is a exploit of CVE-2022-46169 to cacti 1.2.22. This exploit allows through an RCE to obtain a reverse shell on your computer.
Refrence: GitHub
sha-16
Este es un código del exploit CVE-2022-46169, que recree utilizando Python3! Si por ahí estás haciendo una máquina de HTB, esto te puede ser útil... 🤞✨
Refrence: GitHub
Safarchand
Improved PoC for Unauthenticated RCE on Cacti <= 1.2.22 - CVE-2022-46169
Refrence: GitHub
MarkStrendin
Proof of concept / CTF script for exploiting CVE-2022-46169 in Cacti, versions >=1.2.22
Refrence: GitHub
BKreisel
🐍 Python Exploit for CVE-2022-46169
Refrence: GitHub
Rickster5555
A simple PoC for CVE-2022-46169 a.k.a Cacti Unauthenticated Command Injection, a vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti prior from version 1.2.17 to 1.2.22
Refrence: GitHub
antisecc
Refrence: GitHub
dawnl3ss
Unauthenticated Command Injection in Cacti <= 1.2.22
Refrence: GitHub
a1665454764
CVE-2022-46169
Refrence: GitHub
0xZon
Refrence: GitHub
copyleftdev
An advanced RCE tool tailored for exploiting a vulnerability in Cacti v1.2.22. Crafted with precision, this utility aids security researchers in analyzing and understanding the depth of the CVE-2022-46169 flaw. Use responsibly and ethically.
Refrence: GitHub
0xN7y
Exploit for CVE-2022-46169
Refrence: GitHub
mind2hex
Refrence: GitHub