Parallels virtuozzo's VZPP multiple csrf vulnerabilities
hello,
Parallels (www.parallels.com) has developed a server virtualization
system called Virtuozzo. It comes with a web interface, called VZPP,
(very similar to parallel's Plesk) that allows system admins to
manage their virtual servers.
Unfortunatly this nice web interface is affected by multiple csrf
vulnerabilities. Since VZPP can do almost anything on target server a
successful exploitation leads to the full compromise of the target.
In the new "Version 365.6.swsoft (build: 4.0.0-365.6.swsoft)" (maybe
the latest) some issue have been fixed and others not.
Timeline:
29 Jan 2008. A csrf vulnerability has been discovered (and reported
to vendor) in the "change password" section allowing an attacker to
reset server's root password by encting a user to visit a malicious
website while logged into VZPP. This issue has been tested against
"Version 25.4.swsoft (build: 3.0.0-25.4.swsoft)" and has been fixed
in new version.
14 Feb 2008.Parallels developers released a patch for the "change
password" module and have been informed that others VZPP's sections
may be vulnerable to csrf attacks.
20 Mar 2008. a proof of concept that exploits csrf in the VZPP's file
manager has been sent to parallels team. This pof overwrites an
arbitrary file on target virtual server leading to a total system
compromise.
Today i'm still waiting for the vendor's ack of the filemanager issue..
Probably other sections are vulnerable but no other tests have been
performed yet
Proof-of-concept for the "change password" section:
http://px.dynalias.org/files/virtuozzo_pwd.html.txt
Proof-of-concept for the "file manager" section:
http://px.dynalias.org/files/virtuozzo_overwrite.html.txt
cheers,
-p
http://px.dynalias.org