LibreNMS 1.65 is affected by an authenticated command-injection vulnerability in the /about
API endpoint. A ’normal’ privileges attacker can gain Remote Code Execution (RCE) on the LibreNMS host.
“LibreNMS is an autodiscovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems including Cisco, Linux, FreeBSD, Juniper, Brocade, Foundry, HP and many more”. For more information on LibreNMS, visit https://www.librenms.org/.
The /about
endpoint reports some information about the LibreNMS such as the web-server and rrdtool
versions in use. Even though it is not shown in the user interface, the snmpget
version information is read via a shell call in https://github.com/librenms/librenms/blob/1.65/app/Http/Controllers/AboutController.php#L82:
|
|
Such configuration is manageable also by ’normal’ privilege users, which is the lowest user privilege possible in LibreNMS, via a single HTTP POST request to /settings/snmpget
.
By setting it to a command it is possible to inject arbitrary shell commands in the /about
endpoint rendering.
|
|
X-CSRF-TOKEN
HTTP header and XSRF-TOKEN
and laravel_session
HTTP cookies values
|
|
[LibreNMS host ip/hostname]/about
in the logged-in session, which will trigger the malicious command execution and send the HTTP request to our listener:
|
|
A low-privileged attacker can gain Remote Code Execution (RCE) on the LibreNMS host.
The /settings
API endpoints now require administrator privileges.
Upgrade to LibreNMS 1.65.1 or later.
This report was subject to Shielder’s disclosure policy:
murrant
`polict` of Shielder
This advisory was first published on https://www.shielder.com/advisories/librenms-about-authenticated-command-injection/
Date
10 July 2020