Last updated at Sat, 25 Jan 2025 01:58:36 GMT

LibreNMS Authenticated RCE module and ESC15 improvements

This week the Metasploit Framework was blessed with an authenticated RCE module in LibreNMS, an autodiscovering PHP/MySQL-based network monitoring system. An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. These two defects combined to allow arbitrary OS commands inside shell_exec() calls, thus achieving arbitrary code execution.

Additionally, improvements have been made to the icpr_cert module. Metasploit users reported that when running the module with the option to add application policy OIDs to the template—typically done when attempting to exploit ESC15—the module would say that it ran successfully against a server patched for ESC15. However, no certificate application policy OIDs would be returned in the response. This behavior indicated that the server had been patched for ESC15 (CVE-2024-49019). In response to this, the module has been updated to raise an error in this scenario, notifying the user that the target is likely patched and the exploit will not be successful.

New module content (1)

LibreNMS Authenticated RCE (CVE-2024-51092)

Authors: Takahiro Yokoyama and murrant (Tony Murray)
Type: Exploit
Pull request: #19805 contributed by Takahiro-Yoko
Path: linux/http/librenms_authenticated_rce_cve_2024_51092
AttackerKB reference: CVE-2024-51092

Description: New module for exploiting CVE-2024-51092, an authenticated command injection in LibreNMS. It allows the attacker to run system commands and gain remote code execution (RCE). However, it requires a set of working credentials.

Bugs fixed (2)

  • #19808 from jheysel-r7 - Adds detection for the ESC15 patch to the icpr_cert module.
  • #19820 from adfoster-r7 - Pin the version of concurrent-ruby used to stop a crash on msfconsole bootup.

Documentation added (1)

  • #19807 from msutovsky-r7 - Clarify the usage of vars_get and vars_post in module development.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.