A Hungarian ethical hacker has found a vulnerability with a severity of 9.8 by international standards in the Pandora FMS monitoring software run by several multinational companies. The software manufacturer has fixed the bug and the news has also been picked up by the international press. The hacker used chained vulnerabilities to gain access to the Pandora server.
Kamilló Matek, a senior ethical hacker in KPMG’s CyberLab team, published a vulnerability in the Pandora FMS monitoring system rated at 9.8 on a scale of 1 to 10 based on the international standard CVSS methodology.
Vulnerability classification is carried out by an international organisation (MITRE) whose main task is to maintain a vulnerability database (NVD) as well as analyse and publish the vulnerabilities identified. This database is accessible to everyone, so security professionals, and even lay people, can check how secure the software they use is. Professionals report a lot of bugs on this platform, thus making the security of internationally distributed IT systems transparent and increasing the quality of competition and benefiting all users.
For the sake of transparency, MITRE is also responsible for classifying and publishing the severity of these security issues on a scale of 1-10. The most important factor in determining the severity of a vulnerability is the extent to which the vulnerability can be exploited by an attacker to affect the operation of the system, the data stored and access. Pandora FMS is an internationally-renowned monitoring software used by many multinational companies, as well as several government systems all around the world.
Poorly protected guestbook
A large organisation has a lot of computers and services, and running and monitoring them is a mammoth task that can only be done with some kind of monitoring system. The latter and its functions can be thought of as the control centre of a nuclear power plant. A central interface shows the status of the specific organisation’s systems, services and software in real time, and alerts the operator to any incident. Such incidents may include hardware failures, software bugs or even a security incident; the key is that the operating staff are informed and automatic protection measures are taken. If this is not enough, the IT team takes a pre-defined set of steps to mitigate the situation, start fixing the problem and identify the root causes.
By their nature, monitoring systems have access to the systems they monitor and may contain a lot of sensitive information, such as login credentials, network information and security settings. Such information can be crucial to a hacker, and in many cases the content of the monitoring system itself is the “key to the whole organisation's systems”.
One such system is Pandora FMS, where the Hungarian hacker exploited a combination of several vulnerabilities by applying a so-called chained vulnerability exploit.
The fundamental bug was caused by Cross Site Scripting, or XSS for short. This means that in some cases the system does not properly check the input data from the user and saves it to the database without reliable filtering. In such cases, a user may not be posting a message to another user in a chat, but a piece of code that the other user's browser can run without any issue.
Just imagine a poorly protected guestbook in which someone inserts malicious code instead of evaluating the service! The other guests and the system operator regularly open the page and that is when their computer runs the code. This is what happened with Pandora FMS. Using basic access, the hacker placed the malicious code written in JavaScript into the input field used to define the “visual console”. It is important to note that this is the only step that the attacker needs to take, everything else is automatic.
Do anything, access anything
In the case of Pandora, the hacker placed the code into the Visual Console event interface and he only had to wait for a user with web admin privileges to open this interface, which is often the case with this “visual console”. When the user opened the page, the code placed by the attacker was downloaded and executed without warning, in the admin user’s name and in his browser. And this is the beauty of this attack: the attacker’s identity is likely to remain hidden because from the outside, an authorised person has performed operations on the system.
The real power of XSS comes into play with the next step. The attacker’s code now has access to web administrator functions, not only user functions. Whatever an admin user can do with their browser, the JavaScript code can also do. If the administrator file-upload function contains any bug and vulnerability, which is where organising the bugs into chains begins, the JavaScript code can exploit these bugs and vulnerabilities. In this case, the script uploaded and executed another attacker code written in PHP. This code runs on the server infrastructure, i.e. on the web server, and as a final step it gives the attacker command-line access.
This command-line access allows the attacker to perform any operation on the server infrastructure, access the database and networking data as well as sensitive information on the server. With this access, the attacker can perform operations on the system, modify and manipulate the monitored systems and the security measures.
Hotfix
The ethical hacker discovered various vulnerabilities by scanning the source code with tools he had created himself. By combining and leveraging them together, he gained ever higher level access in the software environment. Being an ethical hacker, he reported the vulnerabilities to the software manufacturer and MITRE. At the same time, he sent the technical information needed for analysis and troubleshooting to the manufacturer, along with a sample attack code (Proof Of Concept) and a demonstration video. The vulnerabilities were investigated and fixed by the manufacturer. After the hotfix was published, the hacker disclosed the vulnerabilities on his website, and MITRE published and investigated the report, which was classified by it as a 9.8 severity vulnerability, i.e. a critical vulnerability.
Unfortunately, most software is not subjected to any security source code testing at all. Even if they are, source code inspection is only done by automated means because it is relatively fast and cheap. However, these tools, while capable of revealing many vulnerabilities and bugs, are no match for human expertise. It’s like a spell checker or translator software: misspelled words are spotted, translated words are put together with varying degrees of success, but even today, this does not produce grammatically correct texts, or ones with impeccable style or even content.
Pandora’s FMS software is open-source and its source code has been independently analysed on several occasions, yet some of the security vulnerabilities discovered were present in the system for many years, and it was the chaining of these vulnerabilities that allowed the Hungarian ethical hacker to gain access.
Aged 36, Kamilló Matek graduated from ELTE as a computer programmer. He later completed the KCEH Ethical Hacker Training and then continued educating himself. As a result, he also holds the internationally recognised OSWP, OSCP and OSWE certificates. Some people collect matchboxes or watch TV shows, he analyses systems and creates attack codes in his spare time. In the last few years, his hobby has led to the identification of 11 vulnerabilities (including this one) classified as medium, high or critical by MITRE.
Kamilló joined KPMG’s CyberLab team in 2020, where he performs vulnerability assessments, penetration tests, source code analysis, phishing campaigns and related activities.