What’s inside the box?

A security researcher has shown how he was able to chain two vulnerabilities to achieve remote code execution (RCE) against Pandora FMS (Flexible Monitoring System).

The brace of bugs – discovered by Hungarian security researcher Matek Kamillo – were promptly fixed within a month of notification to developers of the computer network monitoring system, clearing the way for disclosure of technical details.

As explained in a detailed technical write-up by Kamillo, a stored cross-site scripting (XSS) flaw in the visual console component of the software could be combined with a file upload vulnerability to achieve RCE via malicious JavaScript.

Booby trap

The file upload vulnerability arises because a “relative path can be used as a directory name”, allowing the bypass of built-in protections that would normally prevent an arbitrary file upload.

Exploitation would require an attacker to create a malicious payload in the vulnerable visual console component of the enterprise software before tricking a legitimate administrator into triggering this booby trap. The event would trigger the download of malicious JavaScript and, in turn, the execution of malicious PHP code.

The two resolved flaws are tracked as CVE-2021-35501 (XSS) and CVE-2021-34074 (file upload).


Catch up with the latest security research news


If successful, the attack would open a reverse shell on the vulnerable Pandora FMS installation.

Both vulnerabilities have been fixed in version 755 of Pandora FMS, released earlier this month.

Kamillo’s blog post offers a detailed technical walk through on the vulnerabilities complete with code and demo videos.

Keys to the kingdom

The security researcher has history with Pandora FMS, previously discovering a PHP file upload vulnerability via the File Manager.

Kamillo told The Daily Swig that monitoring system products have access to multiple systems and store critical information. As such they are an attractive target for hackers (ethical or otherwise) since these “monitoring systems are the key to an entire kingdom”.

Existing familiarity with the Pandora FMS product allowed Kamillo to uncover vulnerabilities after half a day’s work.

Kamillo added that the flaws he found offered lessons for both pen testers and software developers.

“Administrative features are a critical part of any web application,” he explained. “In this case, the border between a web administrator and a console user is not clear. I found multiple file upload vulnerabilities in the same component.

”

Kamillo continued: “User input handling is also a critical part of any web application. The XSS vulnerabilities are really dangerous and are widely misunderstood. I heard multiple times the following sentence: ‘It is not serious it is just an XSS’. With JavaScript, it is possible to do a lot of things.”

Security source code reviews and penetration tests must be part of every development process, according to Kamillo. “The automated source code review tools are not enough, manual testing is necessary,” he added.


YOU MIGHT ALSO LIKE ‘Sophisticated threat actor’ targeting Zyxel firewalls and VPNs, vendor warns