LibreNMS, SQL Injection, CVE-2024-32461 (High)

Listen to this Post

This vulnerability is a time-based blind SQL injection found in LibreNMS versions prior to 24.4.0. The flaw resides in includes/html/table/address-search.inc.php, where the `address` parameter is processed. When a user submits a value containing a slash (e.g., 127.0.0.1/INJECTION), the part after the slash is stored in the `$prefix` variable. On lines 34 and 52 of the file, this `$prefix` is directly concatenated into an SQL query using double quotes (" AND ipv4_prefixlen='$prefix'") without any sanitization or parameter binding . An authenticated attacker can exploit this by sending a crafted `address` parameter to the `/ajax_table.php` endpoint. The malicious payload uses SQL conditional statements with a `SLEEP()` function. By measuring the time it takes for the server to respond, the attacker can infer whether a condition is true or false. This binary search allows them to systematically extract data character by character from the database, including administrative credentials and password hashes .
Platform: LibreNMS
Version: before 24.4.0
Vulnerability: time-based blind SQLi
Severity: High (7.1-8.8)
date: 2024-04-22

Prediction: patch already released

What Undercode Say:

Analytics

Based on the ‘s provided script and the official advisories, this CVE targets a specific input validation failure. The vulnerability was patched in version 24.4.0, released shortly after the disclosure on April 22, 2024 . The CVSS score varies between 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) and 8.8, depending on the vector calculated, but all confirm a “High” severity due to the low attack complexity and high potential for data breach . The exploit requires authentication but grants read access to any authenticated user, making it a significant internal threat.

Bash Commands and Codes

The primary exploitation method is a Python script that performs a binary search via time-based injection.

Key injection logic from the
injection_string = f"' AND (SELECT 1 FROM (SELECT IF(ASCII(SUBSTRING(({inject_qry}),{i},1))=[bash],SLEEP({sleep_delay}),0))x) AND '1'='1"

This payload is inserted into the `address` parameter:

Example POST data format containing the payload
POST /ajax_table.php HTTP/1.1
...
address=127.0.0.1/aa' AND (SELECT 1 FROM (SELECT IF(ASCII(SUBSTRING((SELECT CURRENT_USER()),1,1))=97,SLEEP(1.5),0))x) AND '1'='1

The Python script automates this by iterating through characters and measuring response delays to reconstruct the output of queries like SELECT CURRENT_USER().

How Exploit:

  1. Authentication: The attacker must first log in to the LibreNMS web interface to obtain a valid session cookie.
  2. Craft Payload: The attacker creates a time-based SQL injection string. The ‘s script uses a binary search method to guess characters. For example, to guess the first letter of the database user, it injects: ' AND (SELECT 1 FROM (SELECT IF(ASCII(SUBSTRING((SELECT CURRENT_USER()),1,1))>97,SLEEP(1.5),0))x) AND '1'='1.
  3. Send Request: The payload is placed after a slash in the `address` parameter of a POST request to `/ajax_table.php` while maintaining the required fields like `search_type=ipv4` and device_id=1.
  4. Time Analysis: If the guessed condition is true, the database sleeps, delaying the HTTP response. The script measures this delay to determine if the character guess was correct.
  5. Data Exfiltration: The script repeats this process for each character and each desired data string, eventually extracting credentials or password hashes .

Protection from this CVE

  1. Upgrade LibreNMS: The primary and most effective fix is to update to version 24.4.0 or later, where the vulnerability is patched .
  2. Input Validation (Code Fix): Developers must replace the dangerous direct concatenation with parameterized queries. The vulnerable code `$sql .= ” AND ipv4_prefixlen=’$prefix'”;` should be changed to use a placeholder (e.g., ?) and bind the `$prefix` variable to it.
  3. Principle of Least Privilege: Ensure that database accounts used by LibreNMS have the minimum necessary permissions. This limits the data an attacker can extract even if SQL injection is successful.
  4. Web Application Firewall (WAF): Deploy WAF rules (like those from Check Point IPS) that can detect and block SQL injection patterns in the `address` parameter .

Impact

  • Confidentiality Breach: Any authenticated user can extract the entire contents of the LibreNMS database. This includes device credentials, SNMP community strings, and user tables.
  • Credential Theft: Attackers can specifically target password hashes of administrator accounts. If cracked, these grant full control over the monitoring system .
  • Privilege Escalation: Gaining admin access to LibreNMS could be a stepping stone to compromising managed network devices, as the system often stores credentials for accessing switches and routers.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top