Weird behavior in LibreNMS whois demo

tomcodes · 23 January 2019 14:49

Hello,

Yesterday I wanted to test LibreNMS demo and saw there was a whois feature so I tried different things:

8.8.8.8
127.0.0.1
…

Everything went well until I tested this one:

com

And got some errors back:

The base64 encoded thing appears to be an image of a tiny blue shield… I did a reverse a reverse code search on the base64 string and found it to be related to toastr js notifications, which is consistent with the js libraries loaded in the page.

Any idea on what might be causing this? Why so many replies?

According to the codebase:

github.com

librenms/librenms/blob/32a7c50189b46058d53b8a1de6c2846a16f5e549/html/netcmd.php#L33


      
              echo 'unauthenticated';
              exit;
          }
          
          
$output = '';
          if ($_GET['query'] && $_GET['cmd']) {
              $host = clean($_GET['query']);
              if (filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) || filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) || filter_var('http://'.$host, FILTER_VALIDATE_URL)) {
                  switch ($_GET['cmd']) {
                      case 'whois':
                          $cmd = $config['whois']." $host | grep -v \%";
                          break;
          
          
            case 'ping':
                          $cmd = $config['ping']." -c 5 $host";
                          break;
          
          
            case 'tracert':
                          $cmd = $config['mtr']." -r -c 5 $host";
                          break;

$cmd = $config['whois']." $host | grep -v \%";

That means com passes the 3 filters.

I would be glad to understand better this feature and wonder if thous could be exploitable in any way.
Thank you!

murrant · 23 January 2019 18:30

A. the RIPE whois doesn’t use netcmd.php, it just talks to the RIPE api
B. I think com is an alias for a network.