): Declares an array $http_addr_headers that lists the names of headers that may contain the client's IP address. Search for ‘ get_client_addr’ in all files and it will be found in functions.php file.įunction get_client_addr($client_addr = false): Defines a function named get_client_addr that takes an optional argument $client_addr, which is set to false by default. The most interesting part is step 11 and 12 since they indicate in order to be authorized the $client_name variable or $client_addr variable have to match $poller Here I started to study each function involved in the remote_client_authorized() function. If none of the conditions in steps 11 and 12 are met, a log message is written indicating an unauthorized remote agent access attempt, and the function returns false, indicating that the remote client is not authorized. If they match, the remote client is authorized and the function returns true. The line if ($client_addr = false) compares the hostname of each poller with the client address obtained in step 2. The line $client_addr = get_client_addr() calls a function get_client_addr which retrieves the IP address of the remote client. The line global $poller_db_cnn_id brings the variable $poller_db_cnn_id into the function's scope. The function determines if a remote client is authorized to access a resource. Search for ‘ remote_client_authorized()’ function Search for it in the remote_agent.php file The first information we got from our dynamic analysis is the error message “ FATAL: You are not authorized to use this service” Let’s do some code review and see where is the vulnerability and why it’s happening.įind the remote_agent.php file which is the vulnerable endpoint file. Now, we know what the request would look like. To produce this vulnerability I used this tool:īefore I start the tool, I enabled the proxy so I can intercept the traffic. There are specific parameters that are passed after the endpoint:īasically, the poller_id parameter it’s the vulnerable parameter for command injection, however you can’t execute the command unless you guess the right numbers for host_id and local_data_ids parameters, and we will know why in the static analysis. We get this error back, and it’s important since we will use it later in the code review. The vulnerable endpoint is remote_agent.php , try to browse it In order to achieve the unauthenticated RCE you need to have real data and devices in cacti.Īfter we added the devices now we can proceed to test the Unauthenticated RCE. If everything is correctly configured in the past steps, it should be easy from here and just ‘next, next …etc’ Visit the below URL to begin the installation of CactiĪfter you log in it will ask you to change the password. sudo systemctl restart apache2Ĭreate a log file for Cacti and allow the Apache user (sudo chown -R www-data:www-data /opt/cacti/ # this setting is necessary for some localesĮnable the created site sudo a2ensite cacti Use the following configuration Alias /cacti /opt/cacti Unauthenticated RCE in Cacti has been found and registered as CVE-2022–46169.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |