LibreNMS SQL Injection Vulnerability

15 July 2019

 

CVE   

 

CVE-2019-12465

 

CVSS SCORE

 

8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

 

XID

 

XL-19-024

 

AFFECTED VENDORS

 

LibreNMS (www.librenms.org)

 

CREDIT

 

Eldar Marcussen - xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY       

 

 

LibreNMS does not parameterize all user supplied input within database queries, resulting in SQL injection vulnerabilities. An authenticated attacker can subvert these database queries to extract or manipulate data.

 

TECHNICAL DETAILS

 

 

     

 

The file “ajax_rulesuggest.php” is using a wrapper for the PHP function “mysql_real_eascape_string()” in an attempt to keep user supplied input safe when used I database queries. However, this function is not sufficient to in all use cases. In this case, an authenticated attacker can manipulate the database queries, typically to extract data, which can be used to elevate privileges.

 

PROOF OF CONCEPT  

 

 

 

 

 

The following URL can be used to extract data from the database using Boolean  blind SQL injection:

http://host/ajax_rulesuggest.php?debug=1&term=users+where+Field=(select+’user_id’+from+users+where+1=1).111&device_id=1

The vulnerable code starts on line 67, where the user supplied data is escaped with the wrapper call “mres()”, before being used unquoted in a SHOW COLUMNS statement:

 

 

 

67: if (isset($_GET['term'], $_GET['device_id'])) {

68:     $chk               = array();

69:     $_GET['term']      = mres($_GET['term']);

70:     $_GET['device_id'] = mres($_GET['device_id']);

71:     if (strstr($_GET['term'], '.')) {

72:         $term = explode('.', $_GET['term']);

73:         if ($term[0] == 'macros') {

74:             foreach ($config['alert']['macros']['rule'] as $macro => $v) {

75:                 $chk[] = 'macros.'.$macro;

76:             }

77:         } else {

78:             $tmp = dbFetchRows('SHOW COLUMNS FROM '.$term[0]); 

 

AFFECTED SYSTEMS  

  

 

LibreNMS <1.53

 

SOLUTION  

 

Upgrade to the latest version of LibreNMS

 

DISCLOSURE TIMELINE

 

 

 

 

26/03/2019 - Contacted LibreNMS developer requesting disclosure coordination

28/03/2019 - Provided vulnerability details

16/04/2019 – Version 1.50.1 released, but did not resolve this issue

01/07/2019 – Version 1.53 released which patches this issue

15/07/2019 – xen1thLabs public disclosure