Potential CVE-2022-46169 Exploitation Attempt

 1title: Potential CVE-2022-46169 Exploitation Attempt
 2id: 738cb115-881f-4df3-82cc-56ab02fc5192
 3status: test
 4description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
 5references:
 6    - https://github.com/0xf4n9x/CVE-2022-46169
 7    - https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
 8    - https://github.com/rapid7/metasploit-framework/pull/17407
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/12/27
11modified: 2023/01/02
12tags:
13    - attack.initial_access
14    - attack.t1190
15    - cve.2022.46169
16    - detection.emerging_threats
17logsource:
18    category: webserver
19detection:
20    selection:
21        # Check for the presence of the X-FORWARDED-FOR header pointing to the hostname of the server running Cacti (which indicate auth bypass)
22        # Check for previous requests indicating the bruteforce of the "local_data_ids" and "host_id"
23        cs-method: 'GET'
24        cs-uri-query|contains|all:
25            - '/remote_agent.php'
26            - 'action=polldata'
27            - 'poller_id='
28        cs-uri-query|contains:
29            # From https://github.com/rapid7/metasploit-framework/pull/17407/files#diff-972a47250ccd30b935a59e8871134956a15980df5b29f9d970414646704d5258R288
30            # Not tested could be shown in other format (update if you have more info)
31            - '| base64 -d | /bin/bash`'
32            - '%7C%20base64%20-d%20%7C%20%2Fbin%2Fbash%60' # URL encoded version
33            # Add more suspicious commands accordingly
34            - '`whoami'
35            - 'powershell'
36            - 'cmd'
37            - 'wget'
38    condition: selection
39falsepositives:
40    - Web vulnerability scanners
41level: high

References

• GitHub - 0xf4n9x/CVE-2022-46169: CVE-2022-46169 Cacti remote_agent.php Unauthenticated Command Injection.

  

  CVE-2022-46169 Cacti remote_agent.php Unauthenticated Command Injection. - 0xf4n9x/CVE-2022-46169

  
  Read More

• Unauthenticated Command Injection

  

  ### Summary A command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. ...

  
  Read More

• Add cacti_unauthenticated_cmd_injection module and docs (CVE-2022-46169) by ErikWynter · Pull Request #17407 · rapid7/metasploit-framework

  

  About This change adds an exploit module and docs for an unauthenticated command injection vulnerability in Cacti through 1.2.22 (CVE-2022-46169). Vulnerable Application Cacti through 1.2.22 is aff...

  
  Read More

Related rules

• Apache Spark Shell Command Injection - Weblogs
• Atlassian Bitbucket Command Injection Via Archive API
• CVE-2021-41773 Exploitation Attempt
• CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
• CVE-2022-31659 VMware Workspace ONE Access RCE