[NMS-9668] IOActive: Stored Cross-site Scripting in SNMP Trap Message - The OpenNMS Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 20.1.0
Fix Version/s: 21.0.0, Meridian-2016.1.8, Meridian-2017.1.1
Component/s: Event Reception - SNMP Traps, Web UI - General
Security Level: Default (Default Security Scheme)
Labels:
- security
- trap
- web

Sprint:
Horizon - October 11th

Description

Affected Product

OpenNMS Horizon

https://www.opennms.org/en

V 20.1.0 (April 12, 2017)

Impact

OpenNMS receives SNMP traps from hosts that are present in the node list. These trap messages could include data of various types, including strings. However, the filtering method for this data is insufficient, which could allow an attacker to perform stored cross-site scripting attacks. The attacker would need network access to port 162/UDP on the server; once the OpenNMS user is logged and visits a specific page, the vulnerability will be triggered.

Background

OpenNMS is a carrier-grade, highly integrated, open source platform designed for building network monitoring solutions. There are two distributions of OpenNMS: Meridian and Horizon. Using Meridian is advisable for enterprises and businesses looking for stability and long term support. Horizon is the place where innovation happens quickly and is ideal for monitoring new technologies and IT ecosystems. Both distributions are completely open source.¹

Technical Details

The user interaction required to perform this attack is minimal. The attacker would only need the logged OpenNMS user to access any section that contains nodes information (nodes, events, notifications, alarms, reports, etc...). At that point, the malicious payload will be executed. The outcome of the attack depends on the privileges of the victim. In the worst-case scenario, if a user with admin privileges is compromised, the attacker may obtain remote privileged shell on the system via different methods.

The vulnerability lies in the way OpenNMS has implemented its XSS filter. The following regular expressions are used:

private static final Pattern imgOnErrorPattern = Pattern.compile("(img[^>]+)o(nerror=[^>]+>)", Pattern.CASE_INSENSITIVE);

(See WebSecurityUtils.java line 52, applied in lines 92-96)

This approach only detects some specific XSS patterns, skipping most of it. For example, the following trap will evade this filter (XSS in Firefox):

$ sudo snmptrap -v 1 -c public 192.168.0.1 .1.3.6.1.4.1.28116.20 192.168.0.1 6 5247 13:33:00 1.3.6.1.4.1.28116.20.1 s "<marquee onStart=alert(123)>1234567890</marquee>"

or (XSS in Chrome/Safari/any WebKit browser):

$ sudo snmptrap -v 1 -c public 192.168.0.1 .1.3.6.1.4.1.28116.20 192.168.0.1 6 5247 13:33:00 1.3.6.1.4.1.28116.20.1 s "tst<input type=image src=123 onerror=alert(1)> "

, where 192.168.0.1 is the host on the network with OpenNMS.
This will lead to the following XSS:

(Javascript popup containing string 123)

Timeline

Oct 4, 2017: Researchers discovers vulnerability

Oct XX, 2017: IOActive contacts the vendor

Attachments

Activity

People

Assignee:: Jesse White

Reporter:: Jeff Gehlbach

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06/Oct/17 2:24 PM

Updated:: 19/Oct/17 9:20 PM

Resolved:: 17/Oct/17 4:40 PM