ACTIVE-2019-008: Pandora FMS Local Privilege Escalation
Vulnerability Type:
Privilege Escalation
Vendors:
Pandora FMS
CVE ID:
CVE-2019-13035
Affected Products:
Pandora FMS 7.0 NG 734 and older
Summary:
Pandora FMS 7.0 NG 734 and older suffer from local privilege escalation due to improper permissions of C:\PandoraFMS directory and its sub-folders allowing standard users to create new files. Moreover, the Apache service httpd.exe will try to execute cmd.exe from the current directory, that is C:\PandoraFMS as NT AUTHORITY\SYSTEM upon web requests to the portal. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM on effected systems by dropping payload as cmd.exe in any of the problematic folders and then making web request to Pandora portal using the command wget http://localhost/pandora_console/index.php | Out-Null.
Mitigation:
Patch was released in Pandora FMS 7.0 NG 735.
Credit:
This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13035
- https://nvd.nist.gov/vuln/detail/CVE-2019-13035
Disclosure Timeline:
- 04-01-19: ACTIVELabs contacted vendor via website
- 04-01-19: ACTIVELabs sent vulnerability details to CERT/CC
- 04-02-19: Vendor requested more details
- 04-02-19: CERT/CC acknowledge report
- 04-02-19: ACTIVELabs sent vulnerability details to vendor
- 04-04-19: Vendor was able to reproduce the bug and fix is queued for next release
- 05-06-19: Vendor communicated the patch did not make it to version 734 release due to ongoing QA testing
- 06-14-19: ACTIVELabs requested an update from the vendor
- 06-17-19: Vendor responded that patch was released on May in version 735
- 06-17-19: ACTIVELabs requested CVE from MITRE
- 06-17-19: ACTIVELabs publishes this advisory
- 06-29-19: CVE-2019-13035 CVE entry has been assigned