Parallels virtuozzo's VZPP multiple csrf vulnerabilities

2009-03-17 / 2009-03-18
Credit: poplix
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-352

hello, Parallels (www.parallels.com) has developed a server virtualization system called Virtuozzo. It comes with a web interface, called VZPP, (very similar to parallel's Plesk) that allows system admins to manage their virtual servers. Unfortunatly this nice web interface is affected by multiple csrf vulnerabilities. Since VZPP can do almost anything on target server a successful exploitation leads to the full compromise of the target. In the new "Version 365.6.swsoft (build: 4.0.0-365.6.swsoft)" (maybe the latest) some issue have been fixed and others not. Timeline: 29 Jan 2008. A csrf vulnerability has been discovered (and reported to vendor) in the "change password" section allowing an attacker to reset server's root password by encting a user to visit a malicious website while logged into VZPP. This issue has been tested against "Version 25.4.swsoft (build: 3.0.0-25.4.swsoft)" and has been fixed in new version. 14 Feb 2008.Parallels developers released a patch for the "change password" module and have been informed that others VZPP's sections may be vulnerable to csrf attacks. 20 Mar 2008. a proof of concept that exploits csrf in the VZPP's file manager has been sent to parallels team. This pof overwrites an arbitrary file on target virtual server leading to a total system compromise. Today i'm still waiting for the vendor's ack of the filemanager issue.. Probably other sections are vulnerable but no other tests have been performed yet Proof-of-concept for the "change password" section: http://px.dynalias.org/files/virtuozzo_pwd.html.txt Proof-of-concept for the "file manager" section: http://px.dynalias.org/files/virtuozzo_overwrite.html.txt cheers, -p http://px.dynalias.org

References:

http://xforce.iss.net/xforce/xfdb/41640
http://www.securityfocus.com/bid/28589
http://www.securityfocus.com/archive/1/archive/1/490409/100/0/threaded
http://secunia.com/advisories/29675
http://osvdb.org/44395


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top