LibreNMS Limited Local File Inclusion via Directory Traversal Vulnerability

15 July 2019

 

CVE   

 

CVE-2019-10666

 

CVSS SCORE

 

8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

XID

 

XL-19-020

 

AFFECTED VENDORS

 

LibreNMS (www.librenms.org)

 

CREDIT

 

Eldar Marcussen - xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY   

   

 

 

Several LibreNMS scripts includes scripts via “include()” where the user supplied data is used in the file path. An attacker that can control both a filename and content on the server can execute PHP code from the file. This vulnerability can be combined with other vulnerabilities identified by xen1thLabs to achieve unauthenticated remote code execution.

 

TECHNICAL DETAILS

 

 

 

     

 

Several of the scripts in LibreNMS performs dynamic script inclusion via the “include()” function on user supplied input without sanitizing the values by calling “basename()” or a similar function. An attacker can leverage this to execute PHP code from the included file. Exploitation of these scripts is made difficult by additional text being appended (typically .inc.php) which means an attacker would need to be able to control both a file name and its content on the server. However, xen1thLabs have identified other vulnerabilities in the affected versions of LibreNMS that allows an unauthenticated attacker to exploit this issue.

 

PROOF OF CONCEPT 

 

 

 

 

The following url will load an attacker controlled script from “/tmp/pwn.csv.inc.php” if the file exist:

http://host/csv.php?report=../../../../../../../tmp/pwn

Figure 1 – Local file inclusion.

The vulnerable code starts on line 20 of the file:

 

 

$report = mres($vars['report']);

if (!empty($report) && file_exists("includes/reports/$report.csv.inc.php")) {

    if ($debug === false) {

        header('Content-Type: text/csv');

        header('Content-Disposition: attachment; filename="'.$report.'-'.date('Ymd').'.csv"');

    }

    $csv = array();

    require $config['install_dir'] . "/html/includes/reports/$report.csv.inc.php";

 

AFFECTED SYSTEMS  

  

 

LibreNMS 1.47 and older

 

SOLUTION  

 

Upgrade to the latest version of LibreNMS

 

DISCLOSURE TIMELINE 

 

 

 

26/03/2019 - Contacted LibreNMS developer requesting disclosure coordination

28/03/2019 - Provided vulnerability details

16/04/2019 – Version 1.50.1 released, but did not fully resolve this issue

01/07/2019 – Version 1.53 released which patches this issue

15/07/2019 – xen1thLabs public disclosure