[Important] Bug in Hestia backups

Dev · December 30, 2021, 9:52pm

Hi everybody,
long time I testing the hestia and to now I found one very important(for me) bug.

If you upload a shell (b374k) on someone domain for this example: example.blog;

And you go to the web shell: example.blog/webshell_b374k.php and you use the command line:

pwd
/home/example/web/example.blog/public_html

ls -al

total 48956
drwxr-x--x 5 exampleuser www-data        4096 Dec 30 21:47 .
drwxr-x--x 8 exampleuser exampleuser     4096 Dec 30 16:43 ..
-rw-r--r-- 1 exampleuser exampleuser    99552 Mar 12  2021 webshell_b374k.php
drwxr-xr-x 2 exampleuser exampleuser     4096 Dec 21 21:22 css
drwxr-xr-x 2 exampleuser exampleuser     4096 Dec 30 17:58 images
-rw-r--r-- 1 exampleuser exampleuser    22324 Dec 30 18:16 index.php
drwxr-xr-x 2 exampleuser exampleuser     4096 Dec 21 21:22 js

ls -al /backup

you see all backups for all websites.

total 58556
drwxr-xr-x  2 root  root                 4096 Dec 30 21:30 .
drwxr-xr-x 19 root  root                 4096 Oct 30 11:58 ..
-rw-r-----  1 admin test2          174080 Dec 30 05:10 test2.2021-12-30_05-10-12.tar
-rw-rw----  1 root  root                 1108 Dec 30 05:10 test2.log
-rw-r-----  1 admin             1007   153600 Dec 27 05:10 zzzzzzzz.2021-12-27_05-10-15.tar
-rw-rw----  1 root  root                 1093 Dec 27 05:10 zzzzzzzz.log
-rw-rw----  1 root  root                  990 Dec 30 05:10 admin.log
-rw-r-----  1 admin gree               92160 Dec 30 05:10 gree.2021-12-30_05-10-05.tar
-rw-rw----  1 root  root                 1100 Dec 30 05:10 gree.log
-rw-r-----  1 admin test1  8878080 Dec 30 05:10 test1.2021-12-30_05-10-14.tar
-rw-rw----  1 root  root                 1087 Dec 30 05:10 test1.log
-rw-r--r--  1 root  root             49981440 Dec 30 21:21 zzzzzzzz1.2021-12-30_21-25-04.tar
-rw-rw----  1 root  root                 1116 Dec 30 21:25 zzzzzzzz1.log
-rw-r-----  1 admin test3        245760 Dec 30 05:10 test3.2021-12-30_05-10-13.tar
-rw-rw----  1 root  root                 1147 Dec 30 05:10 test3.log
-rw-r-----  1 admin test4           133120 Dec 30 05:10 test4.2021-12-30_05-10-15.tar
-rw-rw----  1 root  root                 1059 Dec 30 05:10 test4.log
-rw-r-----  1 admin test5      235520 Dec 30 05:10 test5.2021-12-30_05-10-04.tar
-rw-rw----  1 root  root                 1125 Dec 30 05:10 test5.log
-rw-rw----  1 root  root                 1234 Dec 30 05:10 zzzzzzzz3.log

And after this:
`cp /backup/zzzzzzzz.2021-12-27_05-10-15.tarr zzzzzzzz.2021-12-27_05-10-15.tar

total 48956
drwxr-x–x 5 exampleuser www-data 4096 Dec 30 21:47 .
drwxr-x–x 8 exampleuser exampleuser 4096 Dec 30 16:43 …
-rw-r–r-- 1 exampleuser exampleuser 99552 Mar 12 2021 webshell_b374k.php
drwxr-xr-x 2 exampleuser exampleuser 4096 Dec 21 21:22 css
drwxr-xr-x 2 exampleuser exampleuser 4096 Dec 30 17:58 images
-rw-r–r-- 1 exampleuser exampleuser 22324 Dec 30 18:16 index.php
drwxr-xr-x 2 exampleuser exampleuser 4096 Dec 21 21:22 js
-rw-r–r-- 1 exampleuser exampleuser 49981440 Dec 30 21:47 zzzzzzzz.2021-12-27_05-10-15.tarr

After this:
example.com/zzzzzzzz.2021-12-27_05-10-15.tar

And you can the download the backups is very easy.

As a correction, I think it is right to store backup files in the user directory:
/ home / USER / backups

And this backup can be with the option for automatic or manual at the request of the user in hestia.

The problem is that not every time the backup file has a group created (I have no idea why)

=======

I did an experiment by creating the archive manually via hestia web and he created the archive with the necessary chown rights
user:group

This is certainly not the problem.

There is probably some automatic backup that is done sometimes and it does not add a group to the backup file and it is vulnerable. When I analyze more things I will write more on the topic.

eris · December 30, 2021, 10:27pm

By default the backups should only accessible by the admin user or the owner:

For example:

/home/jaap/web/xxxxx/public_html/b374k-3.2.3/>whoami
jaap

/home/jaap/web/xxxx/public_html/b374k-3.2.3/>cp /backup/admin.2021-12-28_05-13-37.tar ./
cp: cannot open '/backup/admin.2021-12-28_05-13-37.tar' for reading: Permission denied

First of all Running any control panel with random users you won’t trust I would always disable certain php functions as they are know to be harmfull

Question to be asked is this the reposibilty of the server owner or the developers of a software. PHP self does agree it is the reposibilty of the server owner

Dev · December 30, 2021, 10:45pm

I did an experiment to “simulate” the automatic task of creating backups and this time I don’t have a backup archive that lacks a group. Very strange case. To now everything its okay.

If anyone has had such an incident, it’s a good idea to share where the bug came from. As for the webshell script, it could just be a php file that is malicious (I just used the first one in google for the experiment)

If I have any development from the observation I will share later. Thanks for the quick reply.

sudo /usr/local/hestia/bin/v-backup-users
root@ns3:/home/# ls -al /backup
total 107956
drwxr-xr-x 2 root root 4096 Dec 30 22:19 .
drwxr-xr-x 19 root root 4096 Oct 30 11:58 …
-rw-r----- 1 admin test1 174080 Dec 30 22:19 test1.2021-12-30_22-19-21.tar
-rw-rw---- 1 root root 1108 Dec 30 22:19 test1.log
-rw-r----- 1 admin admin 1269760 Dec 30 22:19 admin.2021-12-30_22-19-14.tar
-rw-rw---- 1 root root 941 Dec 30 22:19 admin.log
-rw-r----- 1 admin test2 102400 Dec 30 22:19 test2.2021-12-30_22-19-17.tar
-rw-rw---- 1 root root 1100 Dec 30 22:19 test2.log
-rw-r----- 1 admin test3 8878080 Dec 30 22:19 test3.2021-12-30_22-19-23.tar
-rw-rw---- 1 root root 1087 Dec 30 22:19 test3.log
-rw-r----- 1 admin test4 49920000 Dec 30 22:19 test4.2021-12-30_22-19-19.tar
-rw-rw---- 1 root root 1166 Dec 30 22:19 test4.log
-rw-r----- 1 admin test5 245760 Dec 30 22:19 test5.2021-12-30_22-19-22.tar
-rw-rw---- 1 root root 1147 Dec 30 22:19 test5.log
-rw-r----- 1 admin test6 133120 Dec 30 22:19 test6.2021-12-30_22-19-24.tar
-rw-rw---- 1 root root 1059 Dec 30 22:19 test6.log
-rw-r----- 1 admin test7 235520 Dec 30 22:19 test7.2021-12-30_22-19-15.tar
-rw-rw---- 1 root root 1125 Dec 30 22:19 test7.log
-rw-r----- 1 admin test8 49530880 Dec 30 22:19 test8.2021-12-30_22-19-32.tar
-rw-rw---- 1 root root 1524 Dec 30 22:19 test8.log
root@ns3:/home/#

eris · December 30, 2021, 10:58pm

By default the permissions are:

-rw owner
-r- group
— world

Where the owner is admin
group is the user where the backup belongs to (Requirement for backup restores)

It looks like:
-rw-r–r-- 1 root root 49981440 Dec 30 21:21 zzzzzzzz1.2021-12-30_21-25-04.tar

Is manually copied into this server over ssh…