CVE-2022-46169 PoC — Cacti 命令注入漏洞

Source

Associated Vulnerability

Title:Cacti 命令注入漏洞 (CVE-2022-46169)
Description:Cacti是Cacti团队的一套开源的网络流量监测和分析工具。该工具通过snmpget来获取数据，使用RRDtool绘画图形进行分析，并提供数据和用户管理功能。 Cacti v1.2.22版本存在命令注入漏洞，该漏洞源于未经身份验证的命令注入，允许未经身份验证的用户在运行Cacti的服务器上执行任意代码。

Description

A simple PoC for CVE-2022-46169 a.k.a Cacti Unauthenticated Command Injection, a vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti prior from version 1.2.17 to 1.2.22

Readme

# Cacti Unauthenticated Command Injection (CVE-2022-46169)
This is a simple PoC adaptation of the Vulnhub's Cacti scenario. You can check it out [here](https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169)

Cacti is a robust and extensible operational monitoring and fault management framework for users around the world. A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti prior from version 1.2.17 to 1.2.22, if a specific data source was selected for any monitored device.

References:

- <https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf>
- <https://mp.weixin.qq.com/s/6crwl8ggMkiHdeTtTApv3A>
- <https://nvd.nist.gov/vuln/detail/CVE-2022-46169>

## Vulnerability Environment

Execute following command to start a Cacti server 1.2.22:

```bash
# Compile environment
docker compose build

# Run environment
docker compose up -d
```

After the server is started, you will see the login page at `http://localhost:8080`.

Then login as admin/admin, follow the instructions to initialize the application. Actually, just click the "next button" again and again before you see the success page.


Before you can exploit this vulnerability, you have to add a new "Graph" because the command injection is occurred not in the default graph type:

![](2.png)

Select the graph type "Device - Uptime", and click the "Create" button:

![](3.png)

## Exploit

After complete the above initialization, you will change your role to a attacker. Just use following script as shown to send a request to the Cacti server to trigger the command injection attack:

![](1.png)

Although no command result in the response, you can find the `/tmp/test.txt` has been created successfully.

![](5.png)

File Snapshot


 [4.0K]  /data/pocs/29cacf46ce1d02ea10f6267381d66296db99f984
├── [114K]  1.png
├── [ 22K]  2.png
├── [ 46K]  3.png
├── [ 77K]  4.png
├── [384K]  5.png
├── [1.5K]  cacti-CI-poc.py
├── [ 348]  docker-compose.yml
├── [ 648]  entrypoint.sh
└── [1.7K]  README.md

0 directories, 9 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!