CVE-2019-10669
published 2019-09-09CVE-2019-10669: An issue was discovered in LibreNMS through 1.47. There is a command injection vulnerability in html/includes/graphs/device/collectd.inc.php where user…
PriorityP269high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
80.66%
99.6th percentile
An issue was discovered in LibreNMS through 1.47. There is a command injection vulnerability in html/includes/graphs/device/collectd.inc.php where user supplied parameters are filtered with the mysqli_escape_real_string function. This function is not the appropriate function to sanitize command arguments as it does not escape a number of command line syntax characters such as ` (backtick), allowing an attacker to inject commands into the variable $rrd_cmd, which gets executed via passthru().
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| librenms | librenms | <= 1.47 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to /graph.php with parameters type=device_collectd and a 'from' or 'to' parameter containing backtick characters (`) which are used to inject OS commands. ↗
- →Alert on GET requests to /graph.php where query parameters include type=device_collectd alongside c_plugin, c_type, c_plugin_instance, and c_type_instance — this is the full parameter set used by the exploit to reach the vulnerable code path. ↗
- →Detect exploitation attempts by inspecting the $rrd_cmd variable passed to passthru() in collectd.inc.php for backtick-delimited subshell expressions originating from unsanitized 'from'/'to' HTTP parameters. ↗
- ·Exploitation requires a valid authenticated session; the attacker must supply working LibreNMS credentials (USERNAME/PASSWORD) and at least one device with a Collectd plugin configured. ↗
- ·The root cause is misuse of mysqli_escape_real_string() for OS command argument sanitization — it does not escape backticks or other shell metacharacters, making it unsuitable for this purpose. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
LibreNMS - Collectd Command Injection (Metasploit)
exploitdb·2019-09-10
CVE-2019-10669 LibreNMS - Collectd Command Injection (Metasploit)
LibreNMS - Collectd Command Injection (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'LibreNMS Collectd Command Injection',
'Description' => %q(
This module exploits a command injection vulnerability in the
Collectd graphing functionality in LibreNMS.
The `to` and `from` parameters used to define the range for
a graph are sanitized using the `mysqli_escape_real_string()`
function, which permits backticks. These parameters are used
as part of a shell command that gets executed via the `passthru()`
function, which can result in code execution.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Eldar Marcussen', # Vulnerability discovery
'Shelby Pace' # Metasploit mo
Metasploit
LibreNMS Collectd Command Injection
metasploit
LibreNMS Collectd Command Injection
LibreNMS Collectd Command Injection
This module exploits a command injection vulnerability in the Collectd graphing functionality in LibreNMS. The `to` and `from` parameters used to define the range for a graph are sanitized using the `mysqli_escape_real_string()` function, which permits backticks. These parameters are used as part of a shell command that gets executed via the `passthru()` function, which can result in code execution.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/154391/LibreNMS-Collectd-Command-Injection.htmlhttps://www.darkmatter.ae/xen1thlabs/librenms-command-injection-vulnerability-xl-19-017/http://packetstormsecurity.com/files/154391/LibreNMS-Collectd-Command-Injection.htmlhttps://www.darkmatter.ae/xen1thlabs/librenms-command-injection-vulnerability-xl-19-017/
2019-09-09
Published