<<< Date Index >>>     <<< Thread Index >>>

Parallels virtuozzo's VZPP multiple csrf vulnerabilities



hello,
Parallels (www.parallels.com) has developed a server virtualization system called Virtuozzo. It comes with a web interface, called VZPP, (very similar to parallel's Plesk) that allows system admins to manage their virtual servers. Unfortunatly this nice web interface is affected by multiple csrf vulnerabilities. Since VZPP can do almost anything on target server a successful exploitation leads to the full compromise of the target. In the new "Version 365.6.swsoft (build: 4.0.0-365.6.swsoft)" (maybe the latest) some issue have been fixed and others not.

Timeline:
29 Jan 2008. A csrf vulnerability has been discovered (and reported to vendor) in the "change password" section allowing an attacker to reset server's root password by encting a user to visit a malicious website while logged into VZPP. This issue has been tested against "Version 25.4.swsoft (build: 3.0.0-25.4.swsoft)" and has been fixed in new version.

14 Feb 2008.Parallels developers released a patch for the "change password" module and have been informed that others VZPP's sections may be vulnerable to csrf attacks.

20 Mar 2008. a proof of concept that exploits csrf in the VZPP's file manager has been sent to parallels team. This pof overwrites an arbitrary file on target virtual server leading to a total system compromise.

Today i'm still waiting for the vendor's ack of the filemanager issue..


Probably other sections are vulnerable but no other tests have been performed yet

Proof-of-concept for the "change password" section:
http://px.dynalias.org/files/virtuozzo_pwd.html.txt

Proof-of-concept for the "file manager" section:
http://px.dynalias.org/files/virtuozzo_overwrite.html.txt

cheers,
-p

http://px.dynalias.org