Pandora FMS Remote Code Execution
This module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower. It will leverage an unauthenticated command injection in the Anyterm service on port 8023/TCP. Commands are executed as the user "pandora". In Pandora FMS 4.1 and 5.0RC1 the user "artica" is not assigned a password by default, which makes it possible to su to this user from the "pandora" user. The "artica" user has access to sudo without a password, which makes it possible to escalate privileges to root. However, Pandora FMS 4.0 and lower force a password for the "artica" user during installation.
- xistence <xistence [at] 0x90.nl>
- Pandora 5.0RC1
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/http/pandora_fms_exec msf exploit(pandora_fms_exec) > show targets ...targets... msf exploit(pandora_fms_exec) > set TARGET <target-id> msf exploit(pandora_fms_exec) > show options ...show and set options... msf exploit(pandora_fms_exec) > exploit