module
LibreNMS addhost Command Injection
| Disclosed | Created |
|---|---|
| Dec 16, 2018 | Jun 5, 2019 |
Disclosed
Dec 16, 2018
Created
Jun 5, 2019
Description
This module exploits a command injection vulnerability in the open source
network management software known as LibreNMS. The community parameter used
in a POST request to the addhost functionality is unsanitized. This parameter
is later used as part of a shell command that gets passed to the popen function
in capture.inc.php, which can result in execution of arbitrary code.
This module requires authentication to LibreNMS first.
network management software known as LibreNMS. The community parameter used
in a POST request to the addhost functionality is unsanitized. This parameter
is later used as part of a shell command that gets passed to the popen function
in capture.inc.php, which can result in execution of arbitrary code.
This module requires authentication to LibreNMS first.
Authors
mhaskar
Shelby Pace
Shelby Pace
Platform
Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.