Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


ZPanel arbitrary code execution + root escalation vulnerability
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

ZPanel arbitrary code execution + root escalation vulnerability

joepie91joepie91 Member, Patron Provider
edited April 2013 in General

There's an arbitrary (PHP) code execution in ZPanel, a free and open-source shared hosting control panel. Using the included zsudo binary, access can be escalated and commands can be run as root.

The vulnerability: ZPanel uses a poor "templater" system that basically consists of a few str_replace calls and an eval... and as could be expected from something like this, it does a very poor job at preventing malicious code. The relevant code can be seen here: https://github.com/bobsta63/zpanelx/blob/master/dryden/ui/templateparser.class.php (note the poor attempt at stripping out <?php and ?> tags).

By effectively injecting the replacement that occurs in line 71, one can run arbitrary PHP code. When combined with ZPanels zsudo binary, one can execute arbitrary commands as root, with a maximum of 5 additional arguments (aside from the path to the to-be-executed-command).

The scope: Custom templates/themes can be uploaded by resellers and administrators. This effectively means that anyone that can get access to a reseller account through any means, including by purchasing a reseller service from a ZPanel-using host, can gain root access, without detection.

PoC: Insert the following code anywhere in master.ztml or any other template that is parsed by the template parser, replacing touch derp with any command of choice:

<& bogus']; exec("/etc/zpanel/panel/bin/zsudo touch /root/derp"); echo $value['bogus &>

I've posted the full post to the full-disclosure mailinglist: http://seclists.org/fulldisclosure/2013/Apr/28

Seriously, guys. Stop using ZPanel. It's terribly insecure. How many times do I have to say this?

Bonus: there's a CSRF vulnerability in the logout mechanism.

«1

Comments

  • @joepie91 said: How many times do I have to say this?

    Seems like weekly :P

    Not sure why anyone would still bother using zPanel. Unless you hated your clients or something.

  • @Damian said: Not sure why anyone would still bother using zPanel.

    Summer is just around the corner . . .

  • Somebody uses zPanel?

  • vedranvedran Veteran

    I do. It lets me run arbitrary code without the need to log in as root. It's very convenient sometimes

  • @Freek You've got to see this, bro.

  • I use Webmin. What exactly is zPanel supposed to do anyways, other than get your system "hacked"?

  • WebProjectWebProject Host Rep, Veteran

    Not the first control panel is unsecure, much better to use commercial one like cpanel.

  • joepie91joepie91 Member, Patron Provider
    edited April 2013

    @WebProject said: Not the first control panel is unsecure, much better to use commercial one like cpanel.

    cPanel is most definitely not without vulnerabilities. ZPanel isn't insecure because it's free, it's insecure because the developers are careless (and, in my opinion, irresponsible) about security. If anything, this attitude is even more present in commercial software than in open-source software (eg. SolusVM, WHMCS, etc.)

    Your most secure option is probably an open-source commonly-used peer-reviewed panel such as Webmin. Why open-source? Because that lets you check the code for yourself, and patch it if necessary.

    @Magiobiwan said: I use Webmin. What exactly is zPanel supposed to do anyways, other than get your system "hacked"?

    It's an open-source shared hosting panel, aiming to offer a featureset similar to cPanel.

  • I sense another of @joepie91's rants coming on here. And it's only 7:15 AM my time!

  • This is why I always vote for ISPconfig3.

  • @Magiobiwan said: I sense another of @joepie91's rants coming on here. And it's only 7:15 AM my time!

    +1.

  • @Why open-source? Because that lets you check the code for yourself, and patch it if necessary.

    Unless you are part of the 99.9.% of the population that is not a competent programmer.

  • @Microlinux said: Unless you are part of the 99.9.% of the population that is not a competent programmer.

    And those who will use opensource because it is FREE.

  • jarjar Patron Provider, Top Host, Veteran

    All I want is one attractive and user friendly shared hosting panel. Not for me, but to push on clients who want an answer and don't want to pay for cPanel. That I cannot give them an answer to such a simple question, and that I do not care enough to have one developed for them, upsets me for some reason. Usually only for a few minutes though because minstall doesn't need a panel and it takes 5 minutes.

  • CoreyCorey Member

    @jarland said: All I want is one attractive and user friendly shared hosting panel. Not for me, but to push on clients who want an answer and don't want to pay for cPanel. That I cannot give them an answer to such a simple question, and that I do not care enough to have one developed for them, upsets me for some reason. Usually only for a few minutes though because minstall doesn't need a panel and it takes 5 minutes.

    @joepie91 said: It's an open-source shared hosting panel, aiming to offer a featureset similar to cPanel.

    Isn't zpanel open source?

    We can submit a patch.

  • FreekFreek Member

    @vRozenSch00n said: @Freek You've got to see this, bro.

    LoL, true. Yay for ZPanel. If they even fail at properly configuring the default .conf files they supply with their apache2 installation, what else can go wrong?

  • joepie91joepie91 Member, Patron Provider
    edited April 2013

    @Corey said: Isn't zpanel open source?

    We can submit a patch.

    The problem is basically that all of their PHP code is absolutely terrible, and it needs a full rewrite to be "patched". Even fixing just this vulnerability would require implementing a full proper templater. I was in the process of rewriting ZPanel, but due to time constraints I haven't really gotten around to it.

    EDIT: And there are numerous other issues and vulnerabilities with ZPanel.

  • jarjar Patron Provider, Top Host, Veteran

    @joepie91 said: EDIT: And there are numerous other issues and vulnerabilities with ZPanel.

    It's just so darn pretty. Honestly, as far as user interface goes, I like it far better than cPanel. That's why it makes me so sad. Typical, I suppose, in that good coders and good designers usually are not one and the same.

  • @joepie91 -- their working on a new template system and anyone one is free to file a bug report in their tracker.

  • @joepie91 said: The problem is basically that all of their PHP code is absolutely terrible, and it needs a full rewrite to be "patched". Even fixing just this vulnerability would require implementing a full proper templater. I was in the process of rewriting ZPanel, but due to time constraints I haven't really gotten around to it.

    There's a lot of ground between doing it "right" and leaving this issue open. I'm pretty sure a lot of these issues are easily fixable. I'm not saying it would be nice code, but it would be a start.

    Did you submit a pull request with a fix? I mean, it's very noble that you've started an attempt to rewrite it all. It doesn't help ZPanel right now, though.

  • Awmusic12635Awmusic12635 Member, Host Rep

    Isn't most of cPanel open source / not encrypted anyways?

  • raindog308raindog308 Administrator, Veteran

    @Fliphost said: Isn't most of cPanel open source / not encrypted anyways?

    Yes. cPanel is open-source, it's just not free.

    I hear what @joepie91 is saying about open source peer review...though I wonder if there aren't more eyes and more people looking at cPanel code than webmin, just because the former is so much more widely used and has a bigger dev staff.

  • raindog308raindog308 Administrator, Veteran

    @jarland said: Honestly, as far as user interface goes, I like it far better than cPanel.

    Talk about damning with faint praise...cPanel looks like Windows 3.1.

  • serverianserverian Member
    edited April 2013

    @raindog308 said: Yes. cPanel is open-source, it's just not free.

    How come we don't see nulled WHM/cPanel?

    Edit: It seems we do.

  • seriesnseriesn Member
    edited April 2013

    @serverian said: How come we don't see nulled WHM/cPanel?

    Edit: It seems we do.

    Way too risky to even consider. Not to mention, you can't even upgrade it unlike other nulled scripts.

  • That's why i don't like using panel.

  • CoreyCorey Member

    @raindog308 said: Yes. cPanel is open-source, it's just not free.

    It is? I tried to edit one of the functions at one point and it was encoded.

  • It would not surprise me if you could enter "rm -rf /" in the login field on zPanel and wipe the server.

  • IntcsIntcs Member
    edited April 2013

    @MrAndroid said: It would not surprise me if you could enter "rm -rf /" in the login field on zPanel and wipe the server.

    Lol this thread and posts are hilarious, glad I'm not the one behind ZPanel :P
    BuT to be fair I've tried it in 2011 for a few minutes, it felt like bulky, "disassembled", for some reason since downloading it. It has a good interface and features though, both admin and site visitors shall enjoy the interface :P

  • natestammnatestamm Member
    edited April 2013

    @vRozenSch00n @Freek You've got to see this, bro. @joepie91 anyone ... ZPanel-using host

    image
    @joepie91 if you are ever available for some NDT/penetration testing would love to use the skills PM please

Sign In or Register to comment.