-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for LibreNMS CVE-2019-10669 #12189
Conversation
Did you have any luck with the auth bypass ? |
I had luck with the actual graphing page not requiring auth, but the exploit needs a valid collectd plugin in order to work. Checking for collectd and a valid plugin required auth. |
You can also take a look at #9213 :P |
Tried out that method and had no luck with it. |
|
Merge branch 'land-12189' into upstream-master
Merge branch 'land-12189' into upstream-master
Release NotesThis adds a new module for exploiting an injection vulnerability in LibreNMS Collectd graphing functionality for versions of LibreNMS prior to v1.50.1. |
A command injection vulnerability exists in LibreNMS versions prior to
v1.50.1
.The injection vulnerability affects the Collectd graphing functionality. Specifically, the
to
andfrom
parameters used in the range for graphing are sanitized with themysqli_escape_real_string()
which ignores certain characters, including backticks. These improperly sanitized parameters are then used in a shell command that gets executed via thepassthru()
function.This module has been tested on LibreNMS
v1.46
andv.1.50
.Resolves #12100
Verification
use exploit/linux/http/librenms_collectd_cmd_inject
set RHOSTS <ip>
set USERNAME <user>
set PASSWORD <pass>
run
Vulnerable Setup
A vulnerable version of LibreNMS (v1.50) in the form of an OVA can be downloaded here.
Login credentials can be found on the official LibreNMS site.
Collectd will need to be set up with LibreNMS for this exploit to work. These instructions
are for the Ubuntu OVA.
sudo apt-get install collectd
Open the Collectd config file
/etc/collectd/collectd.conf
and uncomment the global options for the
Hostname
andBaseDir
.Next, uncomment the lines for the cpu plugin.
The plugin should look similar to this:
Next, find the
rrdtool
plugin and ensure it looks like this:Save and exit
Now open
/etc/collectd/collectd.conf.d/rrdtool.conf
and addSave and exit, then restart the Collectd service:
sudo systemctl restart collectd
Lastly, add these two lines to the LibreNMS config file,
/opt/librenms/config.php
:Now save and exit.
You can verify that Collectd is set up with LibreNMS by viewing the
localhost
device in LibreNMS and noting that there should be a Collectdtab on the device's main page. Additional configuration information can be found here.