oss-security - CVE request - Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Date: Wed, 21 Dec 2016 17:10:54 -0500
From: Luka Pusic <luka@...ic.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE request - Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation

Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation
Vendor Homepage: http://vestacp.com/
Software Link: https://github.com/serghey-rodin/vesta
Affected Versions: 0.9.7 and up to including 0.9.8-16

Description:
Vesta CP default install script adds /usr/local/vesta/bin/ directory into /etc/sudoers.d with the NOPASSWD option for the default "admin" user. All programs in /usr/local/vesta/bin/ directory can therefore be run as root. A command injection vulnerability in "v-get-web-domain-value" script can be exploited to run arbitrary commands and escalate from admin user to root.

Vulnerability:
Parameter $3 (key) in v-get-web-domain-value is not properly sanitized before being passed to bash eval.

GitHub issue: https://github.com/serghey-rodin/vesta/issues/906
GitHub fix commit: https://github.com/serghey-rodin/vesta/commit/56182cecf414a0dd833ea3db07d589be88ca5e64

Fix:
Remove "v-get-web-domain-value" script file, because it is not used anymore.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.