LibreNMS 1.65 is affected by multiple SQL Injection vulnerabilities via the
sort parameter in the
/ajax_table.php API endpoint. A ‘normal’ privileges attacker can gain access to the database in use by LibreNMS.
“LibreNMS is an autodiscovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems including Cisco, Linux, FreeBSD, Juniper, Brocade, Foundry, HP and many more”. For more information on LibreNMS, visit https://www.librenms.org/.
/ajax_table.php API endpoint allows the user to retrieve information from many modules, specified by the
id parameter in https://github.com/librenms/librenms/blob/1.65/html/ajax_table.php :
Many modules use the input
sort parameter without any parametrization in a SQL query, for example https://github.com/librenms/librenms/blob/1.65/includes/html/table/as-selection.inc.php :
Such vulnerable code pattern is shared by many other modules, all exploitable too:
X-CSRF-TOKENHTTP header and
laravel_sessionHTTP cookies values
Note the HTTP request includes the malicious payload
(CASE WHEN (SELECT user_id from users where username='librenms' AND sleep(5))=1 THEN bgpLocalAs else bgpLocalAs end) DESC which allows us to extract information from the database by a time-based oracle.
(Note: this could also be exploited faster via a results' order-based oracle but it would need at least two query results which are not available in the default installation)
A low-privileged attacker can gain access to the database in use by LibreNMS.
sort parameter is now sanitized before use.
Upgrade to LibreNMS 1.65.1 or later.
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
10 July 2020