CVE-2010-4279
published 2010-12-02CVE-2010-4279: The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass…
PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.62%
99.2th percentile
The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artica | pandora_fms | <= 3.1 | — |
| artica | pandora_fms | — | — |
| artica | pandora_fms | — | — |
| artica | pandora_fms | — | — |
| artica | pandora_fms | — | — |
| artica | pandora_fms | — | — |
| artica | pandora_fms | — | — |
| artica | pandora_fms | — | — |
| artica | pandora_fms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://servername/pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1↗
commandGET /pandora_console/index.php?loginhash_data=21232f297a57a5a743894a0e4a801fc3&loginhash_user=admin&loginhash=1↗
- →Detect HTTP GET requests to index.php with all three parameters: loginhash=1, loginhash_user=admin, and loginhash_data=21232f297a57a5a743894a0e4a801fc3 (MD5 of 'admin'). ↗
- →Alert on POST requests to /pandora_console/index.php with query parameters sec=gsetup&sec2=godmode/setup/file_manager combined with multipart file upload, indicating exploitation of the file upload primitive post-auth-bypass. ↗
- →Monitor for newly created .php files inside the /pandora_console/images/ directory, as the exploit uploads a randomly named PHP payload (7 random digits + .php) there for remote code execution. ↗
- →Check HTTP response bodies for the string 'Logout' following a loginhash GET request — the Metasploit module uses this as confirmation of successful authentication bypass. ↗
- →Fingerprint vulnerable Pandora FMS versions by checking the login page body for the string 'v3.1 Build PC10060', which the Metasploit module uses to confirm a vulnerable target. ↗
- ·The vulnerability is only exploitable when the loginhash_pwd configuration value is an empty string, which is the default. Installations where this value has been set to a non-empty secret are not directly vulnerable to the trivial bypass. ↗
- ·Version 3.1.1 added a guard requiring loginhash_pwd to be non-empty before accepting hash-based logins, but still uses weak MD5. The fix recommends replacing md5($user.$key) with hash_hmac('sha256', $user, $key). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Pandora FMS 3.1 - Authentication Bypass / Arbitrary File Upload (Metasploit)
exploitdb·2015-01-08
CVE-2010-4279 Pandora FMS 3.1 - Authentication Bypass / Arbitrary File Upload (Metasploit)
Pandora FMS 3.1 - Authentication Bypass / Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",
'Description' => %q{
This module exploits an authentication bypass vulnerability in Pandora v3.1 as
disclosed by Juan Galiana Lara. It also integrates with the built-in pandora
upload which allows a user to upload arbitrary files to the '/images/' directory.
This module was created as an exercise in the Metasploit Mastery Class at Blackhat
that was facilitated by egypt and mubix.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Juan Galiana Lara', # Vulnerability discover
Exploit-DB
Pandora FMS 3.1 - Authentication Bypass
exploitdb·2010-11-30·CVSS 10.0
CVE-2010-4279 [CRITICAL] Pandora FMS 3.1 - Authentication Bypass
Pandora FMS 3.1 - Authentication Bypass
---
[+] Introduction
Pandora FMS (for Pandora Flexible Monitoring System) is a software
solution for monitoring computer networks. It allows monitoring in a
visual way the status and performance of several parameters from
different operating systems, servers, applications and hardware systems
such as firewalls, proxies, databases, web servers or routers.
It can be deployed in almost any operating system. It features remote
monitoring (WMI, SNMP, TCP. UDP, ICMP, HTTP...) and it can also use
agents. An agent is available for each platform. It can also monitor
hardware systems with a TCP/IP stack, such as load balancers, routers,
network switches, printers or firewalls.
This software has several servers that process and get information from
differe
Metasploit
Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability
metasploit
Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability
Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability
This module exploits an authentication bypass vulnerability in Pandora FMS v3.1 as disclosed by Juan Galiana Lara. It also integrates with the built-in pandora upload which allows a user to upload arbitrary files to the '/images/' directory. This module was created as an exercise in the Metasploit Mastery Class at Blackhat that was facilitated by egypt and mubix.
No writeups or analysis indexed.
http://osvdb.org/69549http://packetstormsecurity.com/files/129830/Pandora-3.1-Auth-Bypass-Arbitrary-File-Upload.htmlhttp://seclists.org/fulldisclosure/2010/Nov/326http://secunia.com/advisories/42347http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/downloadhttp://www.exploit-db.com/exploits/15639http://www.securityfocus.com/archive/1/514939/100/0/threadedhttp://www.securityfocus.com/bid/45112https://www.exploit-db.com/exploits/35731/http://osvdb.org/69549http://packetstormsecurity.com/files/129830/Pandora-3.1-Auth-Bypass-Arbitrary-File-Upload.htmlhttp://seclists.org/fulldisclosure/2010/Nov/326http://secunia.com/advisories/42347http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/downloadhttp://www.exploit-db.com/exploits/15639http://www.securityfocus.com/archive/1/514939/100/0/threadedhttp://www.securityfocus.com/bid/45112https://www.exploit-db.com/exploits/35731/
2010-12-02
Published