Monitoring solutions are attractive targets for attackers, as these typically have access to the devices that they monitor and serve as a starting point to compromise other parts of the infrastructure. Hence we decided to take a closer look at these during the web application security research in our Security R&D team. As a result, we discovered several code vulnerabilities in Pandora FMS console version 742.
Pandora FMS is an open source software for monitoring IT infrastructure and networks. It can monitor the status and performance of network equipment, operating systems, virtual infrastructure and all different kinds of security-sensitive applications and systems such as firewalls, databases and web servers. Its enterprise edition is used by many industry leaders, for example AON, Allianz and Toshiba.
We reported the following vulnerabilities responsibly to the affected vendor who released a security patch version 743 immediately:
- SQL Injection (pre authentication)
- Phar deserialization (pre authentication)
- Remote File Inclusion (lowest privileged user)
- Cross-Site Request Forgery (CSRF)
These vulnerabilities enable remote attackers to execute arbitrary code on any Pandora FMS 742 server. No prior knowledge, access privilege or specific configuration is required by an attacker. The systems that are connected for monitoring to Pandora FMS may be directly prone to further attacks.
We have published a blog post with a technical root cause analysis of the most severe code vulnerability, how it can be exploited by attackers (including a video), and how the vulnerable code was patched.
Read blog post
Hi Johannes Dahse,
I recently read your blog and found it insightful. I attempted to reproduce the CVE you mentioned.
In your blog, you mentioned that the function
session_decode() is capable of deserializing arbitrary objects, similar to the function
unserialize(). You also stated that this presents an attack vector where an attacker could deserialize arbitrary objects via SQL Injection.
I have a question regarding this attack vector. Is it related to Phar deserialization (pre authentication), or is it a separate attack vector altogether? I would appreciate it if you could provide some clarification and further explanation on this topic.
Thank you in advance for your assistance.
I am happy to hear that you found our blog post helpful.
The PHP built-in function session_decode() deserializes the data that is provided as the first argument. If attackers can control this data, then they are able to modify the serialized data that is deserialized which allows to instantiate arbitrary objects. You can learn more about serialization, deserialization and this attack vector here:
In the specific case of PandoraFMS, attackers were able to exploit a SQL injection vulnerability in such a way that they are able to modify the session data. For this application, it resulted in another potential attack vector because now they controlled the data in session_decode() that will be deserialized. In general, a PHP Object Injection via session_decode() does not has to do anything with a SQL Injection. It also does not has something to do with the Phar Deserialization, although the attack vector is similar (deserialization of untrusted data).
I hope this helps!