Cacti Command Execution Vulnerability via Malformed SNMP OIDs

A command execution vulnerability has been identified in Cacti versions through 1.2.8. This issue arises from a flaw in the multi-line SNMP result parser, which allows authenticated users to inject malformed Object Identifiers (OIDs) into the response. When these OIDs are processed by the 'ss_net_snmp_disk_io()' or 'ss_net_snmp_disk_bytes()' functions, a portion of each OID is used as a key in an array that contributes to a system command, leading to unauthorized command execution on the server.

Impact

Exploitation of this vulnerability allows authenticated users with device management permissions to execute arbitrary code on the server. This could result in unauthorized access to sensitive data, which could be stolen, modified, or deleted.

Reproduction

To reproduce this vulnerability, first inject a malformed OID into an SNMP response. This can be done by sending a crafted SNMP response that includes the malicious OID. Once the OID is injected, it will be processed by the Cacti application. The 'ss_net_snmp_disk_io()' or 'ss_net_snmp_disk_bytes()' functions will use the injected OID as a key in an array that is part of a system command. This will trigger the command execution vulnerability. After the injection, the 'ss_net_snmp_disk_io' or 'ss_net_snmp_disk_bytes' functions will be called, which will execute the injected command. This can be verified by checking the command execution results.

Remediation

Users can upgrade to Cacti version 1.2.29 or later, where this vulnerability has been patched.