CVE-2022-2626 HestiaCP Privilege Escalation Default sudo Group

Privilege Escalation

Hestiacp <=1.6.4 is vulnerable to privilege escalation. “admin” user has sudo rights and can gain root access. In Ubuntu, by default sudo installation “admin” group has root rights. “admin” user created by hestia installation and this user is also in “admin” group. if the attackers access “admin” user, can gain root access.

POC

root@server:/home/t# sudo -u admin sudo -l
Matching Defaults entries for admin on server:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, env_keep=VESTA, env_keep+=HESTIA, !syslog, !requiretty

User admin may run the following commands on server:
    (ALL) ALL
    (root) NOPASSWD: /usr/local/vesta/bin/*
    (root) NOPASSWD: /usr/local/hestia/bin/*
    

admin user can run any commands as root with (ALL) ALL permission.

By default sudo installation on Ubuntu 18.04 and ubuntu 20.04 creates /etc/sudoers file.

Example /etc/sudoers file; https://gist.github.com/alitoufighi/679304d9585304075ba1ad93f80cce0e

Contents of default /etc/sudoers file;

root@server:/etc# cat sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
Defaults        use_pty

# This preserves proxy settings from user environments of root
# equivalent users (group sudo)
#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"

# This allows running arbitrary commands, but so does ALL, and it means
# different sudoers have their choice of editor respected.
#Defaults:%sudo env_keep += "EDITOR"

# Completely harmless preservation of a user preference.
#Defaults:%sudo env_keep += "GREP_COLOR"

# While you shouldn't normally run git as root, you need to with etckeeper
#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"

# Per-user preferences; root won't have sensible values for them.
#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"

# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"

# Ditto for GPG agent
#Defaults:%sudo env_keep += "GPG_AGENT_INFO"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d

Patch commits

https://github.com/hestiacp/hestiacp/commit/b178b9719bb2c98cf8a6db70065086f596afad81