Parallels virtuozzo's VZPP multiple csrf vulnerabilities

[poplix <poplix () papuasia org>]

hello,
Parallels (www.parallels.com) has developed a server virtualization  
system called Virtuozzo. It comes with a web interface, called VZPP,  
(very similar to parallel's Plesk) that allows system admins to  
manage their virtual servers.
Unfortunatly this nice web interface is affected by multiple csrf  
vulnerabilities. Since VZPP can do almost anything on target server a  
successful exploitation leads to the full compromise of the target.
In the new "Version 365.6.swsoft (build: 4.0.0-365.6.swsoft)" (maybe  
the latest) some issue have been fixed and others not.

Timeline:
29 Jan 2008. A csrf vulnerability has been discovered (and reported  
to vendor) in the "change password" section allowing an attacker to  
reset server's root password by encting a user to visit a malicious  
website while logged into VZPP. This issue has been tested against   
"Version 25.4.swsoft (build: 3.0.0-25.4.swsoft)" and has been fixed  
in new version.

14 Feb 2008.Parallels developers released a patch for the "change  
password" module and have been informed that others VZPP's sections  
may be vulnerable to csrf attacks.

20 Mar 2008. a proof of concept that exploits csrf in the VZPP's file  
manager has been sent to parallels team. This pof overwrites an  
arbitrary file on target virtual server leading to a total system  
compromise.

Today i'm still waiting for the vendor's ack of the filemanager issue..


Probably other sections are vulnerable but no other tests have been  
performed yet

Proof-of-concept for the "change password" section:
http://px.dynalias.org/files/virtuozzo_pwd.html.txt

Proof-of-concept for the "file manager" section:
http://px.dynalias.org/files/virtuozzo_overwrite.html.txt

cheers,
-p

http://px.dynalias.org