Immunity Canvas: CVE_2014_5261


**Name**| CVE_2014_5261 ---|--- **CVE**| CVE-2014-5261 **Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) **Description**| CVE-2014-5261 **Notes**| CVE Name: CVE-2014-5261 VENDOR: The Cacti Group Changelog: http://svn.cacti.net/viewvc?view=rev&revision=7454 Notes: This is a post-authentication command injection vulnerability in Cacti 0.8.8b, valid credentials with the permissions to update the 'Global Settings' are required for this module to execute successfully. This CMDi is blind and you will not see the results of your commands. This exploit will modify a graph setting in order to achieve command execution. To do this we first fetch the settings so we can later restore them, modify the value to achieve command execution, then adjust the settings back. The 'title_font' value of the settings table in the Cacti MySQL database is temporarily modified. While the exploit is running graphs may fail to render and errors may be generated server side, normal run time for this exploit is ~30s. Because the payload is sent into a database we have to deal with encoding, this limits the ability to use quotes. Note: the automatic shell startup option will only work when the Cacti host is Linux, the option to supply a command should be universal. Repeatability: Infinite References: http://seclists.org/oss-sec/2014/q3/351 CVE Url: https://security-tracker.debian.org/tracker/CVE-2014-5261 CERT Advisory: None Date public: 08/12/14