VestaCP 0.9.8 – File Upload CSRF – Digitalmunition




Exploit/Advisories spider-orange.png

Published on March 17th, 2021 📆 | 5007 Views ⚑

0

VestaCP 0.9.8 – File Upload CSRF

# Exploit Title: VestaCP 0.9.8 - File Upload CSRF
# Exploit Author: Fady Othman 
# Date: 16-03-2021
# Vendor Homepage: https://vestacp.com/
# Software Link: https://github.com/myvesta/vesta
# Version: Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39
# CVE ID: CVE-2021-28379
# Patch: https://github.com/myvesta/vesta/commit/3402071e950e76b79fa8672a1e09b70d3860f355

## Description
I found that the checks performed by the upload functionality are insufficient, the upload functionality is vulnerable to CSRF, in addition it allows uploading files and creating folders under "/tmp" and under the home folder (usually "/home/admin"), the later is the one that is important for this exploit to work.

I was able to use this to create a ".ssh" folder in the admin home and upload "authorized_keys" file which allowed me to access the server later as "admin" using SSH.

Since this relies on a *CSRF* the admin has to visit a link, please note that *sshd* is already installed by *VestaCP* when using the default installation script so no need to install it, also please note that files can be replaced so even if the admin has already added "authorized_keys" file, it will be replaced with the attacker's file.

Affected endpoint: "/upload/index.php", i.e. "/upload/index.php?dir=/home/admin/.ssh/"

## Steps to reproduce.
1. Install the latest version of VestaCP in your machine by following the instructions at https://vestacp.com/install/.
2. Login as the admin in Firefox, then open "exploit.html".
3. ssh into the machine using 'ssh -i id_rsa [email protected]', now you have access as admin.

# exploit.html 


  

Source link

Tagged with:



Leave a Reply