Chaining Zpanel Exploits for Remote Root
ZPanel is a fun, open source web hosting control panel, written in code auditors' favorite language, PHP. For bonus points, ZPanel likes to do some things as root, so it installs a nifty little setuid binary called 'zsudo' that does pretty much what you might expect from a utility of that name -- without authentication. In the wake of some harsh words on reddit and elsewhere in regard to the character of ZPanel's development team, the project came to the attention of some exploit developers with predictable results; now for the low, low price of using two exploits (one to get shell, and one to abuse the zsudo silliness) you can get remote root from a low-priv ZPanel user account.
This update also includes an exploit for a vulnerability in MoinMoin, a wiki written in Python, which was used in the wild against wiki.python.org and wiki.debian.org not too long ago. Juan explained this bug in more detail earlier. Interestingly, MoinMoin has support for FreeBSD, for which this update also includes a local privilege escalation module taking advantage of the fun new mmap vulnerability.
Moral of this story: if you're owned, assume you're completely owned. And if you're doing the owning, you get to do the root dance.
- FreeBSD 9 Address Space Manipulation Privilege Escalation by sinn3r, Alan Cox, Hunger, and Konstantin Belousov exploits CVE-2013-2171
- ZPanel zsudo Local Privilege Escalation Exploit by sinn3r and juan vazquez
- Havalite CMS Arbitary File Upload Vulnerability by sinn3r and CWH exploits OSVDB-94405
- LibrettoCMS File Manager Arbitary File Upload Vulnerability by sinn3r and CWH exploits OSVDB-94391
- MoinMoin twikidraw Action Traversal File Upload by juan vazquez, HTP, and Unknown exploits CVE-2012-6081
- ZPanel 10.0.0.2 htpasswd Module Username Command Execution by sinn3r and shachibista exploits OSVDB-94038
- HP System Management Homepage JustGetSNMPQueue Command Injection by sinn3r and Markus Wulftange exploits CVE-2013-3576
- Novell Client 2 SP3 nicm.sys Local Privilege Escalation by juan vazquez and Unknown exploits OSVDB-93718
- Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation by juan vazquez and Ruben Santamarta exploits OSVDB-46578
Auxiliary and post modules
- Canon Wireless Printer Denial Of Service by Matt "hostess" Andreko exploits CVE-2013-4615
- Canon Printer Wireless Configuration Disclosure by Matt "hostess" Andreko exploits CVE-2013-4614
- HP System Management Homepage Login Utility by sinn3r
- Windows Manage Remote Point-to-Point Tunneling Protocol by Borja Merino
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.