Document Title: =============== Pandora FMS v5.1 SP1 - Persistent SNMP Editor Vulnerability References (Source): ==================== http://vulnerability-lab.com/get_content.php?id=1356 Release Date: ============= 2015-01-14 Vulnerability Laboratory ID (VL-ID): ==================================== 1356 Common Vulnerability Scoring System: ==================================== 3.4 Product & Service Introduction: =============================== Pandora FMS is a monitoring Open Source software. It watches your systems and applications, and allows you to know the status of any element of those systems. Pandora FMS could detect a network interface down, a defacement in your website, a memory leak in one of your server application, or the movement of any value of the NASDAQ new technology market. * Detect new systems in network. * Checks for availability or performance. * Raise alerts when something goes wrong. * Allow to get data inside systems with its own lite agents (for almost every Operating System). * Allow to get data from outside, using only network probes. Including SNMP. * Get SNMP Traps from generic network devices. * Generate real time reports and graphics. * SLA reporting. * User defined graphical views. * Store data for months, ready to be used on reporting. * Real time graphs for every module. * High availability for each component. * Scalable and modular architecture. * Supports up to 2500 modules per server. * User defined alerts. Also could be used to react on incidents. * Integrated incident manager. * Integrated DB management: purge and DB compaction. * Multiuser, multi profile, multi group. * Event system with user validation for operation in teams. * Granularity of accesses and user profiles for each group and each user. * Profiles could be personalized using up to eight security attributes without limitation on groups or profiles. Pandora FMS runs on any operating system, with specific agents for each platform, gathering data and sending it to a server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, and Windows 2000, XP and 2003. (Copy of the Vendor Homepage: http://pandorafms.org/index.php?sec=project&sec2=home&lang=en) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official Pandora FMS v5.1 SP1 monitoring web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Artica Sulociones Tecnologicas Product: Pandora FMS - Monitoring Web Application 5.1 SP1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ An application-side input validation web vulnerability has been discovered in the official Pandora FMS v5.1 SP1 monitoring web-application. The vulnerability allows an attacker to inject own script code as payload to the application-side of the vulnerable service function or module. The vulnerability is located in the `oid` and `custom_oid` value of the `snmp trap editor` module. Remote attackers with low privileged user accounts are able to manipulate the create POST method request of the `snmp trap editor` module to compromise user session information. The attack vector is persistent on the application-side and the request method to inject is POST. The issue allows to stream persistent malicious script codes to the front site of the `snmp trap editor` module were the `item context` becomes visible as list. Local low privileged application user accounts with access to the snmp editor can inject own malicious script code to steal session information of a higher privileged monitoring application user account. The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.4. Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low or medium user interaction. Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] SNMP > SNMP Trap Editor Vulnerable Parameter(s): [+] oid [+] custom_oid Affected Module(s): [+] SNMP Trap Editor - Index Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user accounts and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the pandora fms web-application and login with a low privileged user account that is allowed to access the monitoring snmp editor module 2. Surf to the SNMP > SNMP trap editor 3. Create a new entry to inject own payloads with script code to the OID & Customer OID input fields 4. Save the input Note: The monitoring service refreshs to list after the POST method request to add and displays the stored items of the snmp trap editor 5. The execution occurs of the injected script code occurs on the application-side of the service in the item output listing of the snmp_trap_editor 6. Successful reproduce of the security vulnerability! Payload: (SNMP trap editor - Create) oid=%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C &custom_oid=%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C">" >