Ajenti server exposed by RCE bug

Hi again,

Today we are going to exploit Ajenti servers xD…. which are already exposed by RCE vulnerability.

For starters, let me give you Google wiki introduction of Ajenti server,

Ajenti is an open-source, web-based control panel that can be used for a large variety of server management tasks.

On 13th October,19 a command injection vulnerability was reported for an Ajenti version 2.1.31. CVE is not yet assigned to this vulnerability.

What is this RCE bug?

As Ajenti is a web control panel written in Python and AngularJS, the shell can be spawned by injecting a command into the username POST parameter to api/core/auth.

Who are Victims of RCE?

Ajenti server 2.1.31

How can we detect a Vulnerable machine?

The easy way to detect vulnerable machines is to check the version of the Ajenti server. 😉

Another way is to exploit this RCE vulnerability. 😲

From an attacker’s perspective

We can exploit this vulnerability with the Metasploit framework.

Nowadays, finding an exploit for vulnerability is a piece of cake. We have a Metasploit code with us, one listener machine (Listener and Attacker), Ajenti server (Victim).

On Ajenti server, open one Terminal session and run following command

ajenti-panel -v

Ajenti Panel consists of plugins developed for the Ajenti Core and a startup script, together with providing a server administration panel experience, this command will start Ajenti server in a verbose debug mode.

ajenti-panel -v

Now from an attacker’s machine, import the exploit into the Metasploit module of a machine.

Here I’m using Kali Linux as an attacker and listener. Kali Linux has an in-built Metasploit Framework. If you want to use other Environments, then probably you need to configure a Metasploit framework on those machines.

You will need two open terminal sessions, I will refer them as Terminal 1 and Terminal 2.

After importing exploit into Metasploit, open msfconsole on Terminal 1.

msfconsole

Search for exploit (the one which you imported in MSF module)

Search ajenti exploit

Use this exploit and check for available options.

show options

Set the options like RHOST, LHOST, and LPORT, the rest of the options are set by default. In case of SSL, if your Ajenti server runs at https://server:8000/view/login/normal, then set SSL as true.

And if the server is running at http://server:8000/view/login/normal, then set it as False.

Final Configuration will look like this –

ajenti configuration

Before running the exploit, you need to start the listener for port 5555.

On Terminal 2, run NC command to start listening for port 5555.

nc -v -l -p 5555
start listener

Use exploit/run command to run the exploit.

You will get a meterpreter shell after successful exploitation.

metepreter session

You can get into the victim’s shell.

Victim’s shell

Check running process, you will get to know that you are in Victims machine

ps command output

As I said earlier, I’m using Kali Linux as an attacker and Listener.
Now, see I’m in the Ajenti server’s shell.

uname -a command output

Go on Terminal 2, where you started listeners.

You will see, you got connected to the Ajenti server,

Received connection
How did this happen?

While exploiting this bug, I have captured the request packets that are sending from an Attacker to the Victim.

An Attacker is sending a small python code to Victim, upon execution of a python code Attacker gets the reverse shell of a Victim.

burpsuit request

Python code is encoded in base64 format, if you decode it, you will get a clear idea of the scenario.

decoded code snippet

It’s a Socket program trying to establish a connection between the Attacker and Victim machine. After successful exploitation, an attacker can remotely execute commands on the machine.

Remediation and Mitigation:

You can apply the mitigation provided in the article.

Or you can upgrade to the next stable version.

Qualys has issued QID 13648: Ajenti Remote Command Execution Vulnerability to detect the vulnerable systems.

References:

https://www.exploit-db.com/exploits/47560

https://github.com/ajenti/ajenti/commit/7aa146b724e0e20cfee2c71ca78fafbf53a8767c

Leave a Reply

Your email address will not be published. Required fields are marked *