This week we start with a Remote Code Execution (RCE) vulnerability that has potential to be a real pain for sysadmins. Cacti, the system monitoring and graphing solution, has a pair of bugs that chain together to allow an attacker with unauthenticated access to the HTTP/S port to trivially execute bash commands. The first half of this attack is an authentication bypass, and it’s embarrassingly trivial. The Cacti authentication code trusts the Forwarded-For:
header in the request. Set it to the server’s IP, and the authentication code treats it like a localhost request, bypassing any real authentication process.
The second half is found in the remote_agent.php
endpoint, where the poller_id
is set by the user and treated as a string. Then, if the right host_id
and local_data_id
item is triggered, that string is concatenated into a proc_open()
function call. The string isn’t sanitized, so it’s trivial enough to include a second command to run, dropping a webshell, for instance.
Version 1.2.23 of Cacti contains the fix, and released on the 2nd. This one is likely to be exploited, and if automated exploitation hasn’t started already, it likely will soon. So if you have a Cacti install, go double-check that the interface isn’t exposed to the world.
JSON Web Token
Researchers at Unit 42 found an exploit that can be used to achieve an RCE in the JsonWebToken project. The issue is this library’s verify()
function, which takes arguments of the token to check, the key to use, and options. If there aren’t any algorithms specified in the options object, then the key is processed as a PEM string. The toString()
method of that key is called during the actual check, and the assumption is that it’s either a string or buffer. But what if the key passed in to the verify()
function was actually a complex object, bringing it’s own toString()
method along to play. At that point, we have arbitrary code execution. And if this code is running on the server-side under node.js
, that means a popped server.
But wait, it’s not that simple, right? It’s not like a valid JWT can contain an arbitrary object — that would be a problem all on its own. So CVE-2022-23529 is a stepping-stone. It’s insecure code, but the rest of the application has to have another vulnerability for this one to be reachable. Continue reading “This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM”