Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pandora FMS auth RCE [CVE-2024-11320] #19738

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Pandora FMS auth RCE [CVE-2024-11320] #19738

wants to merge 6 commits into from
+575 −0

Conversation

h00die-gr3y
Copy link
Contributor

@h00die-gr3y h00die-gr3y commented Dec 16, 2024
edited
Loading

Last one for this year ;-)

Pandora FMS is a monitoring solution that provides full observability for your organization's technology.
This module exploits an command injection vulnerability (CVE-2024-11320) in the LDAP authentication mechanism of Pandora FMS.
You need have admin access at the Pandora FMS Web application in order to execute this RCE.
This access can be achieved leveraging a default password weakness in Pandora FMS that allows an attacker to access the Pandora FMS MySQL database, create a new admin user and gain administrative access to the Pandora FMS Web application.
The attack can be remotely executed over the WAN as long as the MySQL services are exposed to the outside world.
This issue affects Pandora FMS Community, Free and Enterprise edition: from 718 through <= 777.4

@Chocapikk
Copy link
Contributor

Hi @h00die-gr3y, I noticed that both the file name and the module title mention preauth, but the exploitation clearly requires admin credentials or access to the MySQL database to create an admin user. Since this isn't a true pre-authentication exploit, it might be misleading. Would it be possible to update the file name, module title, and description to reflect this correctly as a post-auth requirement?

@msutovsky-r7 msutovsky-r7 self-assigned this Dec 17, 2024
@github-actions GitHub Actions
Copy link

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@h00die-gr3y
Copy link
Contributor Author

Hi @h00die-gr3y, I noticed that both the file name and the module title mention preauth, but the exploitation clearly requires admin credentials or access to the MySQL database to create an admin user. Since this isn't a true pre-authentication exploit, it might be misleading. Would it be possible to update the file name, module title, and description to reflect this correctly as a post-auth requirement?

Done. See 2abde4c.

@h00die-gr3y h00die-gr3y changed the title Pandora FMS preauth RCE [CVE-2024-11320] Pandora FMS auth RCE [CVE-2024-11320] Dec 18, 2024
msutovsky-r7
msutovsky-r7 reviewed Dec 18, 2024
View reviewed changes
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @h00die-gr3y, I have submitted few comments to the code, the exploit is functional though. Also, can you please submit documentation for the module?

modules/exploits/linux/http/pandora_fms_auth_rce_cve_2024_11320.rb Show resolved Hide resolved
modules/exploits/linux/http/pandora_fms_auth_rce_cve_2024_11320.rb Show resolved Hide resolved
modules/exploits/linux/http/pandora_fms_auth_rce_cve_2024_11320.rb Show resolved Hide resolved
modules/exploits/linux/http/pandora_fms_auth_rce_cve_2024_11320.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/pandora_fms_auth_rce_cve_2024_11320.rb Show resolved Hide resolved
@h00die-gr3y
Copy link
Contributor Author

h00die-gr3y commented Dec 20, 2024
edited
Loading

Dear Reviewers,
The second release cf5b26d was tested against most of the Pandora FMS versions.
It triggered quite some changes where password cryptographic hashing algorithms were changed from plain MD5 to BCRYPT in later versions of Pandora FMS. Also the csrf_hidden-codes were not used in older versions which now has been catered for.

Finally, the command injection vulnerability (GHSA-882x-5jhv-r9x4) in the LDAP authentication mechanism of Pandora FMS did not work for versions lower then v7.0NG.718, so the vulnerability check has been adapted to handle this.

Documentation will be provided over the weekend.

@msutovsky-r7 msutovsky-r7 removed their assignment Dec 28, 2024
@dledda-r7 dledda-r7 self-assigned this Jan 3, 2025
@dledda-r7 dledda-r7 added docs and removed needs-docs labels Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msutovsky-r7 msutovsky-r7 msutovsky-r7 requested changes

@Chocapikk Chocapikk Chocapikk left review comments

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

Requested changes must be addressed to merge this pull request.

Assignees

@dledda-r7 dledda-r7

Labels
docs module
Projects
Metasploit Kanban
Status: In Progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@h00die-gr3y @Chocapikk @bwatters-r7 @msutovsky-r7 @dledda-r7