Hi,
We would like to report this vulnerability, I rather not share the technical details inside a public issue, so let me know to proceed
VestaCP LPE leads to RCE as root
2020-02-03
http://vestacp.com/ - Vesta is an open source hosting control panel.
Vesta Control Panel
Latest version: 0.9.8-27 Pre-release as available in https://github.com/serghey-rodin/vesta, latest commit as of this time is https://github.com/serghey-rodin/vesta/commit/1b85b7b313975b66c6f2cc50cc39e38372a760ae.
vesta/web/api/index.php
vesta/bin/v-generate-api-key
vesta/bin/v-list-user
## 4.6 Binary Version
-
## 4.7 Binary MD5
-
It is required that an API key has been generated, at least one API key should be present in the system. We do not need to know this API key, it just has to be present in the system.
We need access to a low privilege user account.
Local Privilege Escalation
Latest version: 0.9.8-27 Pre-release as available in https://github.com/serghey-rodin/vesta, latest commit as of this time is https://github.com/serghey-rodin/vesta/commit/1b85b7b313975b66c6f2cc50cc39e38372a760ae.
Every version that contains v-generate-api-key
## 7.4 Unaffected Versions
-
It was tested on Ubuntu 18.04, but all platforms should be affected.
@ssd-disclosure Please send the information to [email protected]. I am afraid the security issue might affect Hestia aswell
@ssd-disclosure can you also send more information and maybe a POC to [email protected]?
Hi, me and @madeITBelgium are official developers of VestaCP, and yes, I agree with @madeITBelgium, please send it to [email protected] so we can see it.
@ssd-disclosure Just to inform that we probaly found and fixed the issue for the hestia project. We havent made any public commits yet but plan to release a hotfix asap. We would love if you could share future security issues directly with us aswell :). If you want to reach us, you can contact us at any time under [email protected].
@dpeca Please check the #security channel on our hestia discord server for additional informations.
@ssd-disclosure just to inform you that we received LPE you sent on [email protected]
@ScIT-Raphael sure :)
Most helpful comment
@ssd-disclosure Please send the information to [email protected]. I am afraid the security issue might affect Hestia aswell