oss-sec mailing list archives
CVE request - Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation
From: Luka Pusic <luka () pusic com>
Date: Wed, 21 Dec 2016 17:10:54 -0500
Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Vendor Homepage: http://vestacp.com/ Software Link: https://github.com/serghey-rodin/vesta Affected Versions: 0.9.7 and up to including 0.9.8-16 Description: Vesta CP default install script adds /usr/local/vesta/bin/ directory into /etc/sudoers.d with the NOPASSWD option for the default "admin" user. All programs in /usr/local/vesta/bin/ directory can therefore be run as root. A command injection vulnerability in "v-get-web-domain-value" script can be exploited to run arbitrary commands and escalate from admin user to root. Vulnerability: Parameter $3 (key) in v-get-web-domain-value is not properly sanitized before being passed to bash eval. GitHub issue: https://github.com/serghey-rodin/vesta/issues/906 GitHub fix commit: https://github.com/serghey-rodin/vesta/commit/56182cecf414a0dd833ea3db07d589be88ca5e64 Fix: Remove "v-get-web-domain-value" script file, because it is not used anymore.
Current thread:
- CVE request - Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Luka Pusic (Dec 21)