lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20130417112847.88AA06F443@smtp.hushmail.com>
Date: Wed, 17 Apr 2013 12:28:47 +0100
From: "Dex" <0x41@...h.ai>
To: full-disclosure@...ts.grok.org.uk, admin@...to.net
Subject: Re: 
	ZPanel arbitrary code execution + root escalation	vulnerability

Hi

I wrote about this back in November due to a number of reasons.

http://securitytheatre.net/2012/11/06/zpanel-6-1-1-remote-
authenticated-remote-root/



On Wed, 17 Apr 2013 10:37:43 +0100 "Sven Slootweg" 
<admin@...to.net> wrote:
>Hi all,
>
>There's an arbitrary (PHP) code execution in ZPanel, a free and
>open-source shared hosting control panel. Using the included zsudo
>binary, access can be escalated and commands can be run as root.
>
>The vulnerability: ZPanel uses a poor "templater" system that
>basically consists of a few str_replace calls and an eval... and 
>as
>could be expected from something like this, it does a very poor 
>job at
>preventing malicious code. The relevant code can be seen here:
>https://github.com/bobsta63/zpanelx/blob/master/dryden/ui/templatep
>arser.class.php
>(note the poor attempt at stripping out <?php and ?> tags).
>
>By effectively injecting the replacement that occurs in line 71, 
>one
>can run arbitrary PHP code. When combined with ZPanels `zsudo` 
>binary,
>one can execute arbitrary commands as root, with a maximum of 5
>additional arguments (aside from the path to the
>to-be-executed-command).
>
>The scope: Custom templates/themes can be uploaded by resellers 
>and
>administrators. This effectively means that anyone that can get 
>access
>to a reseller account through any means, including by purchasing a
>reseller service from a ZPanel-using host, can gain root access,
>without detection.
>
>PoC: Insert the following code anywhere in master.ztml or any 
>other
>template that is parsed by the template parser, replacing `touch 
>derp`
>with any command of choice:
>
><& bogus']; exec("/etc/zpanel/panel/bin/zsudo touch /root/derp"); 
>echo
>$value['bogus &>
>
>Strangely, login.ztml does not appear to use the templater, and 
>seems
>to allow PHP execution by simply using <?php and ?> tags (which I
>would consider a vulnerability in itself, but that aside).
>
>Vendor notification: I have warned the ZPanel development team 
>about
>their insecure templater *months* ago, and explicitly pointed out 
>that
>their "PHP code filtering" was not going to work well. I have
>submitted a patch for some other fixable aspects of the templater
>(which was merged into the main repository), but the development 
>team
>insisted that the security in the templater was fine, and that it
>wasn't a problem, basically telling me that they were not going to
>change it. They have not fixed this vulnerability, nor do they 
>appear
>to have any interest in doing so in the near future.
>
>How to solve it: Either remove the reseller template uploading
>functionality (this would impair core functionality), or use a 
>real
>templating engine that does not use a few str_replace() calls 
>strung
>together in front of an eval().
>
>I'm quite new to this list, and not exactly a pentesting expert, 
>so if
>I left out some important information in the above message, please 
>do
>let me know.
>
>- Sven Slootweg
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ