Vesta: VestaCP LPE leads to RCE as root

Created on 3 Feb 2021  路  5Comments  路  Source: serghey-rodin/vesta

Hi,

We would like to report this vulnerability, I rather not share the technical details inside a public issue, so let me know to proceed

1.Vulnerability Title

VestaCP LPE leads to RCE as root

2.Date of submission

2020-02-03

3.Description of Product (from vendor/site)

http://vestacp.com/ - Vesta is an open source hosting control panel.

4.Description of Vulnerability

4.1 Title

4.2 Product

Vesta Control Panel

4.3 Version

Latest version: 0.9.8-27 Pre-release as available in https://github.com/serghey-rodin/vesta, latest commit as of this time is https://github.com/serghey-rodin/vesta/commit/1b85b7b313975b66c6f2cc50cc39e38372a760ae.

4.4 Homepage

http://vestacp.com/

4.5 Binary Affected

vesta/web/api/index.php
vesta/bin/v-generate-api-key
vesta/bin/v-list-user

## 4.6 Binary Version
-

## 4.7 Binary MD5
-

5.Configuration Requirements

It is required that an API key has been generated, at least one API key should be present in the system. We do not need to know this API key, it just has to be present in the system.

6.Vulnerability Requirements

We need access to a low privilege user account.

7.Vulnerability Summary Information

7.1 Vulnerability Class

Local Privilege Escalation

7.2 Affected Versions Tested

Latest version: 0.9.8-27 Pre-release as available in https://github.com/serghey-rodin/vesta, latest commit as of this time is https://github.com/serghey-rodin/vesta/commit/1b85b7b313975b66c6f2cc50cc39e38372a760ae.

7.3 Affected Versions Assumed (explain assumption)

Every version that contains v-generate-api-key

## 7.4 Unaffected Versions
-

7.5 Affected Platforms Tested (Windows, Linux, 32bit, 64bit, 10 RS1, 10 RS2, 2016, Ubuntu, etc.)

It was tested on Ubuntu 18.04, but all platforms should be affected.

security

Most helpful comment

@ssd-disclosure Please send the information to [email protected]. I am afraid the security issue might affect Hestia aswell

All 5 comments

@ssd-disclosure Please send the information to [email protected]. I am afraid the security issue might affect Hestia aswell

@ssd-disclosure can you also send more information and maybe a POC to [email protected]?

Hi, me and @madeITBelgium are official developers of VestaCP, and yes, I agree with @madeITBelgium, please send it to [email protected] so we can see it.

@ssd-disclosure Just to inform that we probaly found and fixed the issue for the hestia project. We havent made any public commits yet but plan to release a hotfix asap. We would love if you could share future security issues directly with us aswell :). If you want to reach us, you can contact us at any time under [email protected].

@dpeca Please check the #security channel on our hestia discord server for additional informations.

@ssd-disclosure just to inform you that we received LPE you sent on [email protected]

@ScIT-Raphael sure :)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

luizjr picture luizjr  路  8Comments

cakama3a picture cakama3a  路  5Comments

marii89 picture marii89  路  4Comments

SteenSchutt picture SteenSchutt  路  7Comments

Prince-M picture Prince-M  路  4Comments