June 23, 2022

Remote Command Execution in Artica Pandora FMS 744 (CVE-2020-13851)

In this tutorial, we will see how to perform a get a reverse shell by triggering a RCE (Remote Code Execution) vulnerability in Artica Pandora FMS. The vulnerability exists in the "Events" page of the FMS.

Click on "Events" and then "View events".

Navigating to 'View events' in Artica Pandora FMS.

This is the captured request in Burp Suite. Send it to Burp Repeater.

Capturing the 'View events' HTTP request in Burp Suite.

Let's delete all the irrelevant stuff and only keep the parameters that are needed. Enter in a Bash reverse shell command for the value of the "target" parameter.

Executing a Bash reverse shell command in Artica Pandora FMS.

We receive a reverse shell on our netcat listener. It is important to have netcat listening before executing the reverse shell command.

Receiving reverse shell on the netcat listener.

If you liked reading this article, you can follow me on Twitter: 0xmaCyberSec.