LibreNMS Command Injection Vulnerability

15 July 2019

 

CVE   

 

CVE-2019-10669

 

CVSS SCORE

 

7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

 

XID

 

XL-19-017

 

AFFECTED VENDORS

 

LibreNMS (www.librenms.org)

 

CREDIT

 

Eldar Marcussen - xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY       

 

 

There is a command injection vulnerability in the collected graph subset. An authenticated attacker can execute commands on the server.

 

TECHNICAL DETAILS

 

 

     

 

There is a command injection vulnerability in html/includes/graphs/device/collectd.inc.php which can be seen in the lines 231 – 265, where user supplied parameters are filtered with the “mysqli_escape_real_string” function. This function is not the appropriate function to sanitize command arguments with as it does not escape a number of command line syntactical characters such as ` (backtick) allowing an attacker to injection commands into the variable $rrd_cmd which gets executed via “passthru()” on line 265.

 

PROOF OF CONCEPT 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

231: if (isset($rrd_cmd)) {

232:     if ($_GET['from']) {

233:         $from = mres($_GET['from']);

234:     }

235:

236:     if ($_GET['to']) {

237:         $to = mres($_GET['to']);

238:     }

239:

240:     $rrd_cmd .= ' -s '.$from.' -e '.$to;

241: }

242:

243: if ($_GET['legend'] == 'no') {

244:     $rrd_cmd .= ' -g ';

245: }

246

247: if ($height < '99') {

248:     $rrd_cmd .= ' --only-graph ';

249: }

250:

251: if ($width <= '300') {

252:     $rrd_cmd .= ' --font LEGEND:7:'.$config['mono_font'].' --font XIS:6:'.$config['mono_font'].' ';

253: } else {

254:     $rrd_cmd .= ' --font LEGEND:8:'.$config['mono_font'].' --font AXIS:7:'.$config['mono_font'].' ';

255: }

256:

257: if (isset($_GET['debug'])) {

258:     header('Content-Type: text/plain; charset=utf-8');

259:     printf("Would have executed:\n%s\n", $rrd_cmd);

260:     return 0;

261: } elseif ($rrd_cmd) {

262:     header('Content-Type: image/png');

263:     header('Cache-Control: max-age=60');

264:     $rt = 0;

265:     passthru($rrd_cmd, $rt);

 

Figure 1 – Command injection in collectd.inc.php.

 

AFFECTED SYSTEMS  

  

LibreNMS 1.47 and older

 

SOLUTION  

 

Upgrade to the latest version of LibreNMS

 

DISCLOSURE TIMELINE 

 

 

 

26/03/2019 - Contacted LibreNMS developer requesting disclosure coordination

28/03/2019 - Provided vulnerability details

16/04/2019 – Version 1.50.1 released which resolves this issue

15/07/2019 – xen1thLabs public disclosure