Share
## https://sploitus.com/exploit?id=37811D52-8F7B-51D9-A5E2-177844BFE373
# CVE-2022-46169
Exploit for CVE-2022-46169 Cacti versions before 1.2.3





Here  remote_client_authorized checks the clients hostname in poller table for entry
```php
function remote_client_authorized() {
   // ...
   $client_addr = get_client_addr();
   // ...
   $client_name = gethostbyaddr($client_addr);
   // ...
   $pollers = db_fetch_assoc('SELECT * FROM poller', true, $poller_db_cnn_id);
   foreach($pollers as $poller) {
      if (remote_agent_strip_domain($poller['hostname']) == $client_name) {
         return true;
      // ...
```
The get_client_addr function is used to get the client’s address which can be modified by attacker when determining the ip address. it uses the ip to resolve it to the corresponding hostname and checks if the poller table contains an entry with this hostname authorizing client. 

```php
<?php
// ...
function get_client_addr($client_addr = false) {
   $http_addr_headers = array(
       // ...
       'HTTP_X_FORWARDED',
       'HTTP_X_FORWARDED_FOR',
       'HTTP_X_CLUSTER_CLIENT_IP',
       'HTTP_FORWARDED_FOR',
       'HTTP_FORWARDED',
       'HTTP_CLIENT_IP',
       'REMOTE_ADDR',
   );

   $client_addr = false;
   foreach ($http_addr_headers as $header) {
      // ...
      $header_ips = explode(',', $_SERVER[$header]);
      foreach ($header_ips as $header_ip) {
         // ...
         $client_addr = $header_ip;
         break 2;
      }
   }
   return $client_addr;
}
```

so modifying request header allows as to byass auth

And here unsanitized user input is used to execute an external command

```php
// ... retrieve poller items from database ...

foreach($items as $item) {
   switch ($item['action']) {
   // ...
   case POLLER_ACTION_SCRIPT_PHP: /* script (php script server) */
      // ...
      $cactiphp = proc_open(read_config_option('path_php_binary') . ' -q ' . $config['base_path'] . '/script_server.php realtime ' . $poller_id, $cactides, $pipes);
```
# Fix
## auth bypass

configure which http headers should be used when determining the ip used of a client

## rec

since poller_id value needed as int validateing it before passing it to proc_open