PHP file upload and remote code execution in Pandora FMS <= 7.42 in the File Manager

cve-2020-7935

The vendor does not want to allow us to upload and execute the PHP file even with an Admin account in Pandora FMS. They introduced a protection mechanism in the File Manager to solve the issue. Unfortunately, the applied solution is not enough to block an attacker. I reported the problem to the vendor and they fixed it in the Pandora FMS 7.43? version.

Technical Details

Note: The vulnerability exploitable only with a Web Admin account.

Interestingly the File Manager allows us to upload PHP files, but it is not possible to execute them via the File Manager. The vendor solved it with a tricky get_file.php, which gives back the contents of a PHP file, so it is not possible to execute it via the File Manager.

I checked the upload process. The name of the PHP file remains the original and the exact path and the exact filename is known (and controllable) by the uploader.

1

2

The only thing that is missing is a folder where the attacker can store the PHP file, which is accessible from outside. Unfortunately there are folders with this property e.g: http(s)://.../pandora_console/images/backgrounds/. It is possible to create a directory with the File Manager. Unfortunately, the permission of the newly created folder and the file doesn't set properly.

3

Execute it with curl:

4

Proof

5

Additional content

Demo video