SNMP location XSS vulnerability in librenms/librenms
Reported on
Dec 19th 2022
Description
By including some HTML in the "Location" field of the snmpd configuration of a managed device, an attacker can inject HTML into the LibreNMS "Devices" tab, which then gets rendered when the page is viewed.
EDIT: I'm having difficulties developing a proper exploit for this beyond the "Alert('XSS')" PoC. But maybe someone more web-savvy than me could get it to work. Dialing down the severity in the meanwhile.
Proof of Concept
// /etc/snmp/snmpd.conf
sysLocation <script>alert('XSS')</script>
sysContact Me <me@example.org>
sysServices 72
master agentx
agentaddress udp:161
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
rouser authPrivUser authpriv -V systemonly
includeDir /etc/snmp/snmpd.conf.d
Impact
This vulnerability can be used to fetch a javascript file from some remote location. The script can then interact with LibreNMS arbitrarily on the victim's behalf and bring up/down services, view billing information or change the victim's password. Depending on that other tabs the victim has opened, the script could potentially make requests to other websites on the victim's behalf.
Occurrences
devices.inc.php L353
I think the "location" variable should be sanitized here.
SECURITY.md exists
a year ago
Hello! Don't hesitate to ping me if anything is unclear! Also, is it possible to go for a CVE on this one?
Cheers! Keep up the good work :)
