PHP file upload and remote code execution in Pandora FMS <= 7.42 in the File Manager - CVE-2020-7935
If you find it valuable, you can support me by making a donation. Donate now.
The vendor does not want to allow us to upload and execute the PHP file even with an Admin account in Pandora FMS. They introduced a protection mechanism in the File Manager to solve the issue. Unfortunately, the applied solution is not enough to block an attacker. I reported the problem to the vendor and they fixed it in the Pandora FMS 7.43? version.
Technical Details
Note: The vulnerability exploitable only with a Web Admin account.
Interestingly the File Manager allows us to upload PHP files, but it is not possible to execute them via the File Manager. The vendor solved it with a tricky get_file.php, which gives back the contents of a PHP file, so it is not possible to execute it via the File Manager.
I checked the upload process. The name of the PHP file remains the original and the exact path and the exact filename is known (and controllable) by the uploader.
The only thing that is missing is a folder where the attacker can store the PHP file, which is accessible from outside. Unfortunately there are folders with this property e.g: http(s)://.../pandora_console/images/backgrounds/ . It is possible to create a directory with the File Manager. Unfortunately, the permission of the newly created folder and the file doesn't set properly.
Execute it with curl:
Proof
Additional content
Demo video
© 2019-2024 Kamilló Matek (k4m1ll0) All Rights Reserved