lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 3 Apr 2008 00:01:04 +0200
From: poplix <poplix@...uasia.org>
To: bugtraq@...urityfocus.com
Subject: Parallels virtuozzo's VZPP multiple csrf vulnerabilities

hello,
Parallels (www.parallels.com) has developed a server virtualization  
system called Virtuozzo. It comes with a web interface, called VZPP,  
(very similar to parallel's Plesk) that allows system admins to  
manage their virtual servers.
Unfortunatly this nice web interface is affected by multiple csrf  
vulnerabilities. Since VZPP can do almost anything on target server a  
successful exploitation leads to the full compromise of the target.
In the new "Version 365.6.swsoft (build: 4.0.0-365.6.swsoft)" (maybe  
the latest) some issue have been fixed and others not.

Timeline:
29 Jan 2008. A csrf vulnerability has been discovered (and reported  
to vendor) in the "change password" section allowing an attacker to  
reset server's root password by encting a user to visit a malicious  
website while logged into VZPP. This issue has been tested against   
"Version 25.4.swsoft (build: 3.0.0-25.4.swsoft)" and has been fixed  
in new version.

14 Feb 2008.Parallels developers released a patch for the "change  
password" module and have been informed that others VZPP's sections  
may be vulnerable to csrf attacks.

20 Mar 2008. a proof of concept that exploits csrf in the VZPP's file  
manager has been sent to parallels team. This pof overwrites an  
arbitrary file on target virtual server leading to a total system  
compromise.

Today i'm still waiting for the vendor's ack of the filemanager issue..


Probably other sections are vulnerable but no other tests have been  
performed yet

Proof-of-concept for the "change password" section:
http://px.dynalias.org/files/virtuozzo_pwd.html.txt

Proof-of-concept for the "file manager" section:
http://px.dynalias.org/files/virtuozzo_overwrite.html.txt

cheers,
-p

http://px.dynalias.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ