Vesta Admin Panel Vulnerability Allows Complete Linux Server Takeover


A vulnerability in the Vesta Control Panel has been discovered that allows attackers to take over entire Linux servers.

This alarming exploit leverages weaknesses in the password reset mechanism, posing a severe risk to users relying on Vesta for server management.

EHA

Vesta is a web-based control panel that simplifies server management for Linux users. Known for its lightweight structure and user-friendly interface, it is favored by many for hosting websites, managing domains, and creating databases.

The Vulnerability: Exploiting Bash $RANDOM

According to the Fortbridge report, the core of the vulnerability lies in using the bash $RANDOM variable during the password reset process.

This variable generates pseudo-random numbers that are not cryptographically secure, making it possible for attackers to predict future values.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free

By exploiting this weakness, attackers can generate valid password reset tokens, gaining unauthorized access to admin accounts.

Generate a new code for the next password reset.
Generate a new code for the next password reset.

Code Snippet: Predicting $RANDOM Values

# Example of predicting $RANDOM values using bashrand
$ bashrand crack -n 3 $RANDOM $RANDOM $RANDOM
# Output
Seed: 2137070299 +3 (old) # Seed found

Next 3 values: [22404, 16453, 2365]

The Vesta password reset function relies on a PHP script that checks if a reset token matches an existing one stored in user configuration files.

This file checks if the reset token($_POST[‘code’]) received from the url is equal to $rkey and if they match it will proceed to reset the user’s password.
This file checks if the reset token($_POST[‘code’]) received from the url is equal to $rkey and if they match it will proceed to reset the user’s password.

When a user requests a password reset, they receive an email with a link containing this token. The process involves generating a new token using $RANDOM, where the vulnerability is exploited.

Breaking Down the Exploit

Researchers have demonstrated that they can predict all future password reset tokens by brute-forcing the seed used by $RANDOM. The challenge lies in reducing the brute-force scope from billions of possibilities to a manageable number.

This was achieved by analyzing how timestamps and process IDs influence seed generation, significantly narrowing down potential values.

Code Snippet: Brute-Forcing Seeds

# Brute-forcing seeds using reduced entropy
for seed in $(seq $start_seed $end_seed); do
    RANDOM=$seed
    echo $RANDOM $RANDOM $RANDOM

This vulnerability allows an attacker to take over an entire server, which poses serious risks, including data breaches and unauthorized control over hosted websites.

Vesta users are strongly advised to update their systems with patches provided by developers and consider implementing additional security measures such as two-factor authentication.

This vulnerability highlights the critical importance of secure random number generation in software development.

Users are encouraged to stay informed about updates from Vesta and other security advisories to safeguard their digital assets effectively.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration



Source link