Back to the advisories

PHP file upload and remote code execution in Pandora FMS <= 7.42 in the File Manager - CVE-2020-7935

#pandorafms#hacking#exploit#rce#cve
Last Modified: 2024.01.19.

If you find it valuable, you can support me by making a donation. Donate now.

The vendor does not want to allow us to upload and execute the PHP file even with an Admin account in Pandora FMS. They introduced a protection mechanism in the File Manager to solve the issue. Unfortunately, the applied solution is not enough to block an attacker. I reported the problem to the vendor and they fixed it in the Pandora FMS 7.43? version.

Technical Details

Note: The vulnerability exploitable only with a Web Admin account.

Interestingly the File Manager allows us to upload PHP files, but it is not possible to execute them via the File Manager. The vendor solved it with a tricky get_file.php, which gives back the contents of a PHP file, so it is not possible to execute it via the File Manager.

I checked the upload process. The name of the PHP file remains the original and the exact path and the exact filename is known (and controllable) by the uploader.

1

2

The only thing that is missing is a folder where the attacker can store the PHP file, which is accessible from outside. Unfortunately there are folders with this property e.g: http(s)://.../pandora_console/images/backgrounds/ . It is possible to create a directory with the File Manager. Unfortunately, the permission of the newly created folder and the file doesn't set properly.

3

Execute it with curl:

4

Proof

5

Additional content

Demo video

© 2019-2024 Kamilló Matek (k4m1ll0) All Rights Reserved