Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACTIVE-2019-008: Pandora FMS Local Privilege Escalation

Vulnerability Type:

Privilege Escalation

Vendors:

Pandora FMS

CVE ID:

CVE-2019-13035

Affected Products:

Pandora FMS 7.0 NG 734 and older

Summary:

Pandora FMS 7.0 NG 734 and older suffer from local privilege escalation due to improper permissions of C:\PandoraFMS directory and its sub-folders allowing standard users to create new files. Moreover, the Apache service httpd.exe will try to execute cmd.exe from the current directory, that is C:\PandoraFMS as NT AUTHORITY\SYSTEM upon web requests to the portal. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM on effected systems by dropping payload as cmd.exe in any of the problematic folders and then making web request to Pandora portal using the command wget http://localhost/pandora_console/index.php | Out-Null.

Mitigation:

Patch was released in Pandora FMS 7.0 NG 735.

Credit:

This vulnerability was found by Hashim Jawad of ACTIVELabs.

References:

Disclosure Timeline:

  • 04-01-19: ACTIVELabs contacted vendor via website
  • 04-01-19: ACTIVELabs sent vulnerability details to CERT/CC
  • 04-02-19: Vendor requested more details
  • 04-02-19: CERT/CC acknowledge report
  • 04-02-19: ACTIVELabs sent vulnerability details to vendor
  • 04-04-19: Vendor was able to reproduce the bug and fix is queued for next release
  • 05-06-19: Vendor communicated the patch did not make it to version 734 release due to ongoing QA testing
  • 06-14-19: ACTIVELabs requested an update from the vendor
  • 06-17-19: Vendor responded that patch was released on May in version 735
  • 06-17-19: ACTIVELabs requested CVE from MITRE
  • 06-17-19: ACTIVELabs publishes this advisory
  • 06-29-19: CVE-2019-13035 CVE entry has been assigned