What’s inside the box?
A security researcher has shown how he was able to chain two vulnerabilities to achieve remote code execution (RCE) against Pandora FMS (Flexible Monitoring System).
The brace of bugs – discovered by Hungarian security researcher Matek Kamillo – were promptly fixed within a month of notification to developers of the computer network monitoring system, clearing the way for disclosure of technical details.
The file upload vulnerability arises because a “relative path can be used as a directory name”, allowing the bypass of built-in protections that would normally prevent an arbitrary file upload.
If successful, the attack would open a reverse shell on the vulnerable Pandora FMS installation.
Both vulnerabilities have been fixed in version 755 of Pandora FMS, released earlier this month.
Kamillo’s blog post offers a detailed technical walk through on the vulnerabilities complete with code and demo videos.
Keys to the kingdom
The security researcher has history with Pandora FMS, previously discovering a PHP file upload vulnerability via the File Manager.
Kamillo told The Daily Swig that monitoring system products have access to multiple systems and store critical information. As such they are an attractive target for hackers (ethical or otherwise) since these “monitoring systems are the key to an entire kingdom”.
Existing familiarity with the Pandora FMS product allowed Kamillo to uncover vulnerabilities after half a day’s work.
Kamillo added that the flaws he found offered lessons for both pen testers and software developers.
“Administrative features are a critical part of any web application,” he explained. “In this case, the border between a web administrator and a console user is not clear. I found multiple file upload vulnerabilities in the same component.
Security source code reviews and penetration tests must be part of every development process, according to Kamillo. “The automated source code review tools are not enough, manual testing is necessary,” he added.
YOU MIGHT ALSO LIKE ‘Sophisticated threat actor’ targeting Zyxel firewalls and VPNs, vendor warns