Pandora FMS Remote Code Execution Vulnerability via Anyterm Web Interface

A remote command execution vulnerability has been identified in Pandora FMS versions through 5.0RC1. This vulnerability is present in the Anyterm web interface, which operates on TCP port 8023. The issue arises from the anyterm-module endpoint, which accepts unsanitized user input through the p parameter and injects it directly into a shell command. This allows for arbitrary command execution as the pandora user. In Pandora FMS versions 4.1 and 5.0RC1, the pandora user can escalate privileges to root without a password by exploiting the artica user account, which is typically installed without a password and configured to run sudo without authentication. As a result, full system compromise is possible without any credentials.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the affected system, with the potential for privilege escalation to root in certain versions.

Reproduction

The vulnerability can be reproduced by sending a POST request to the anyterm-module endpoint on an affected Pandora FMS instance. The request must include the unsanitized user input in the p parameter, which will be injected into a shell command and executed as the pandora user. In versions 4.1 and 5.0RC1, this can be followed by switching to the artica user and using sudo to gain root privileges.