Hi I wrote about this back in November due to a number of reasons.
http://securitytheatre.net/2012/11/06/zpanel-6-1-1-remote- authenticated-remote-root/ On Wed, 17 Apr 2013 10:37:43 +0100 "Sven Slootweg" <[email protected]> wrote: >Hi all, > >There's an arbitrary (PHP) code execution in ZPanel, a free and >open-source shared hosting control panel. Using the included zsudo >binary, access can be escalated and commands can be run as root. > >The vulnerability: ZPanel uses a poor "templater" system that >basically consists of a few str_replace calls and an eval... and >as >could be expected from something like this, it does a very poor >job at >preventing malicious code. The relevant code can be seen here: >https://github.com/bobsta63/zpanelx/blob/master/dryden/ui/templatep >arser.class.php >(note the poor attempt at stripping out <?php and ?> tags). > >By effectively injecting the replacement that occurs in line 71, >one >can run arbitrary PHP code. When combined with ZPanels `zsudo` >binary, >one can execute arbitrary commands as root, with a maximum of 5 >additional arguments (aside from the path to the >to-be-executed-command). > >The scope: Custom templates/themes can be uploaded by resellers >and >administrators. This effectively means that anyone that can get >access >to a reseller account through any means, including by purchasing a >reseller service from a ZPanel-using host, can gain root access, >without detection. > >PoC: Insert the following code anywhere in master.ztml or any >other >template that is parsed by the template parser, replacing `touch >derp` >with any command of choice: > ><& bogus']; exec("/etc/zpanel/panel/bin/zsudo touch /root/derp"); >echo >$value['bogus &> > >Strangely, login.ztml does not appear to use the templater, and >seems >to allow PHP execution by simply using <?php and ?> tags (which I >would consider a vulnerability in itself, but that aside). > >Vendor notification: I have warned the ZPanel development team >about >their insecure templater *months* ago, and explicitly pointed out >that >their "PHP code filtering" was not going to work well. I have >submitted a patch for some other fixable aspects of the templater >(which was merged into the main repository), but the development >team >insisted that the security in the templater was fine, and that it >wasn't a problem, basically telling me that they were not going to >change it. They have not fixed this vulnerability, nor do they >appear >to have any interest in doing so in the near future. > >How to solve it: Either remove the reseller template uploading >functionality (this would impair core functionality), or use a >real >templating engine that does not use a few str_replace() calls >strung >together in front of an eval(). > >I'm quite new to this list, and not exactly a pentesting expert, >so if >I left out some important information in the above message, please >do >let me know. > >- Sven Slootweg > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
