OpenNMS Authenticated XXE
Description
OpenNMS is vulnerable to XML External Entity Injection in the Real-Time Console interface. Although this attack requires authentication, there are several factors that increase the severity of this vulnerability. 1. OpenNMS runs with root privileges, taken from the OpenNMS FAQ: "The difficulty with the core of OpenNMS is that these components need to run as root to be able to bind to low-numbered ports or generate network traffic that requires root" 2. The user that you must authenticate as is the "rtc" user which has the default password of "rtc". There is no mention of this user in the installation guides found here: http://www.opennms.org/wiki/Tutorial_Installation, only mention that you should change the default admin password of "admin" for security purposes.
Author(s)
- Stephen Breen <breenmachine@gmail.com>
- Justin Kennedy <jstnkndy@gmail.com>
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use auxiliary/gather/opennms_xxe
msf auxiliary(opennms_xxe) > show actions
...actions...
msf auxiliary(opennms_xxe) > set ACTION < action-name >
msf auxiliary(opennms_xxe) > show options
...show and set options...
msf auxiliary(opennms_xxe) > run 
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security