VestaCP - Root Privilege Escalation

VestaCP currently has a bug that allows root privilege escalation using PHP. Background: Even with stats disabled, the following line is found in /home/<user>/conf/web/nginx.conf: include /home/<user>/web/<domain>/stats/auth.conf*; /home/<user>/web/<domain>/stats/ is owned by <user> but isn't writable. Since we own it, we can simply change the permissions so we can put anything we want in there. From there we can create a configuration file that will…

Keep reading

Nginx Catch-All Error Pages

Using a combination of named locations along with the error_page directive, we can make it so nginx automatically serves error pages from a directory structure with support for wildcard/catch-all files. For example the handler for status code 503 will check for /errors/error_503.html /errors/error_50x.html /errors/error_5xx.html /errors/error.html Creating the helper maps First off, we'll need to use the map directive to help us make the above lookup work. You will need to place these lines within the server block…

Keep reading

Implementing ptsname_r on OSX with Rust

I've been working on a project with rust that requires creating a pseudo-terminal and like many others, I've run into a lot of problems with the functions available to get a pair of master/slave fds for my PTY. openpty int openpty(int *amaster, int *aslave, char *name, const struct termios *termp, const struct winsize *winp); This function seems like a good fit at first glance but the documentation contains this disclaimer: Nobody knows how much space should be reserved for name. So, calling openpty() or forkpty() with non-NULL name…

Keep reading

Root your box with W3TC and Nginx

Several guides for integrating everybody's favorite caching plugin for Wordpress with Nginx tell you to include something like this in your nginx configuration: location / { include /var/www/wordpress/nginx.conf; } At the time of writing, this suggestion is currently in the guide ranked #2 for the search terms "w3tc nginx". If you don't know already, generally this conf is writable by W3TC (and PHP by extension). It does this to make it so W3TC can regenerate your Nginx configuration for you. Now let's assume an attacker has hacked your Wordpress…

Keep reading

[CVE-2016-5483] Galera Remote Command Execution via crafted database name

mysqldump is a common utility used to create logical backups of MySQL databases and one of the SST methods used by Galera to bring out-of-sync nodes back into the cluster. Using an evil database name, an attacker can gain remote command execution on all nodes in the cluster or backdoor MySQL backups in a similar attack to my previous post. Of course, this method requires the CREATE DATABASE privilege instead of CREATE TABLE. Example Attack First, the attacker creates a malicious database using the query below: CREATE DATABASE `test \! id…

Keep reading