CVE-2022-2550 HestiaCP OS Command Injection

OS Command Injection

Hestiacp <=1.6.4 is vulnerable to OS Command Injection, Arbitrary commands can be injected when installing DokuWiki. Authenticated as “User” role users can inject commands. Injected commands are running as “admin” user.

Prerequisite

  • Any user access
  • php 7.4 must be installed in order to install dokuwiki (only admin can install php7.4)

Vulnerable Part

https://github.com/hestiacp/hestiacp/blob/1084a16e7d680235f6ac8c45bd845da35f3dc970/web/src/app/WebApp/Installers/DokuWiki/DokuWikiSetup.php#L88

Attackers can inject commands with $options['wiki_name'] and other $options['XXX'] variables.

POC

  1. login to panel with user account.
  2. Open WEB tab. https://XX.XX.XX.XX:8083/list/web/
  3. Click Add Web Domain
  4. Enter random domain to domain field and save.
  5. In the “Edit Web Domain” page click Quick Install App
  6. Click “Setup” button in DokuWiki
  7. All fields are vulnerable, enter payload to Wiki Name field and fill other fields then click install button.
     // payload
    
     aa';  echo "injected" > /tmp/test; id >> /tmp/test ; echo '1
    
  8. Wait 10 sec.
     /tmp/test
    	
     injected
     uid=1001(admin) gid=1001(admin) groups=1001(admin)
    

PoC Video

Patch commits

https://github.com/hestiacp/hestiacp/commit/3d4c309cf138943cfd1e71ae51556406987aa4bf