LibreNMS 1.65 is affected by multiple SQL Injection vulnerabilities via the sort
parameter in the /ajax_table.php
API endpoint. A ’normal’ privileges attacker can gain access to the database in use by LibreNMS.
“LibreNMS is an autodiscovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems including Cisco, Linux, FreeBSD, Juniper, Brocade, Foundry, HP and many more”. For more information on LibreNMS, visit https://www.librenms.org/.
The /ajax_table.php
API endpoint allows the user to retrieve information from many modules, specified by the id
parameter in https://github.com/librenms/librenms/blob/1.65/html/ajax_table.php :
|
|
Many modules use the input sort
parameter without any parametrization in a SQL query, for example https://github.com/librenms/librenms/blob/1.65/includes/html/table/as-selection.inc.php :
|
|
Such vulnerable code pattern is shared by many other modules, all exploitable too:
X-CSRF-TOKEN
HTTP header and XSRF-TOKEN
and laravel_session
HTTP cookies values
|
|
Note the HTTP request includes the malicious payload (CASE WHEN (SELECT user_id from users where username='librenms' AND sleep(5))=1 THEN bgpLocalAs else bgpLocalAs end) DESC
which allows us to extract information from the database by a time-based oracle.
(Note: this could also be exploited faster via a results’ order-based oracle but it would need at least two query results which are not available in the default installation)
A low-privileged attacker can gain access to the database in use by LibreNMS.
The sort
parameter is now sanitized before use.
Upgrade to LibreNMS 1.65.1 or later.
This report was subject to Shielder’s disclosure policy:
murrant
`polict` of Shielder
This advisory was first published on https://www.shielder.com/it/advisories/librenms-sort-authenticated-sql-injection/
Data
10 luglio 2020