Headline
CVE-2020-35476: OpenTSDB 2.4.0 Remote Code Execution · Issue #2051 · OpenTSDB/opentsdb
A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)
During a Pentest we found a remote code execution vulnerability in OpenTSDB 2.4.0 and below using command injection in the yrange parameter (other parameters might be vulnerable as well)
When passing the payload via one of the parameters it is written to a gnuplot file in the /tmp directory and the gnuplot file is executed by OpenTSDB via the /src/mygnuplot.sh shell script.
There was an attempt to block command injections by blocking back-ticks but we were able to bypass it:
private static String popParam(final Map<String, List<String>> querystring,
final String param) {
final List<String> params = querystring.remove(param);
if (params == null) {
return null;
}
final String given = params.get(params.size() - 1);
// TODO - far from perfect, should help a little.
if *(given.contains("`") || given.contains("%60") ||
given.contains("`")) *{
throw new BadRequestException("Parameter " + param + " contained a "
+ "back-tick. That's a no-no.");
}
return given;
}
The gnuplot file created in the temp directory by OpenTSDB would look something like this:
set term png small size 1516,644
set xdata time
set timefmt "%s"
if (GPVAL_VERSION < 4.6) set xtics rotate; else set xtics rotate right
set output "/tmp/d705ba5b.png"
set xrange ["972086400":"1603641404"]
set format x "%Y/%m/%d"
set grid
set style data linespoint
set key right box
set ylabel ""
*set yrange [33:system('touch /tmp/poc.txt')]*
plot "/tmp/d705ba5b_0.dat" using 1:2 title "sys.cpu.nice{host=web01, dc=lga}"
When executed by OpenTSDB mygnuplot.sh the poc.txt file will be written to the temp directory.
Related news
Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.
This Metasploit module exploits an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB through 2.4.0 (CVE-2020-35476) in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.0 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the yrange parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.3.0.