CVE-2020-10808
published 2020-03-22CVE-2020-10808: Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a…
PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
77.26%
99.5th percentile
Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring followed by shell metacharacters.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vestacp | vesta_control_panel | <= 0.9.8-26 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vestacp_exec.rb↗
- →Monitor for filenames on the server containing shell metacharacters (e.g., single quotes, semicolons, backticks) appended to '.bash_logout', which is the demonstrated exploitation technique for injecting commands via the backup listing endpoint. ↗
- →Alert on authenticated HTTP requests to the schedule/backup endpoint in VestaCP (versions through 0.9.8-26) that result in unexpected process execution or privilege escalation to root. ↗
- →Detect execution of the v-list-user-backups bash script with anomalous arguments or spawning unexpected child processes, which may indicate active exploitation for RCE as root. ↗
- →Monitor FTP sessions to VestaCP servers for file rename operations targeting backup-related filenames, especially renames that introduce shell metacharacters into filenames. ↗
- ·Exploitation requires the attacker to be authenticated to VestaCP and also able to create or rename a crafted filename on the server (e.g., via FTP access), meaning this is not an unauthenticated/remote-only attack vector. ↗
- ·The vulnerability affects VestaCP through version 0.9.8-26 only; detections and mitigations should be scoped to this version range. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157111/Vesta-Control-Panel-Authenticated-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/157219/Vesta-Control-Panel-Authenticated-Remote-Code-Execution.htmlhttps://forum.vestacp.com/viewforum.php?f=25https://github.com/rapid7/metasploit-framework/pull/13094https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/http://packetstormsecurity.com/files/157111/Vesta-Control-Panel-Authenticated-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/157219/Vesta-Control-Panel-Authenticated-Remote-Code-Execution.htmlhttps://forum.vestacp.com/viewforum.php?f=25https://github.com/rapid7/metasploit-framework/pull/13094https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/
2020-03-22
Published