RCE bug chain patched in CentOS Web Panel

2 years ago 154
BOOK THIS SPACE FOR AD
ARTICLE AD

Shell injected on servers via bypass of local file inclusion defenses

RCE bug chain patched in CentOS Web Panel

A security researcher has chained a pair of vulnerabilities in popular web hosting platform CentOS Web Panel (CWP) to achieve pre-authenticated remote command execution (RCE) as root.

Paulos Yibelo achieved RCE by using a null byte-powered file inclusion payload in order to add a malicious API key, leveraging this API key to write to a file, then including this file through abuse of the file inclusion bug.

CWP, a free-to-use, Linux control panel, is in active use by more than 200,000 servers, according to Yibelo.

Bypassing stristr()

The researcher’s first key discovery was how two unauthenticated PHP pages, /user/loader.php and /user/index.php, deployed local file inclusion (LFI) protection that, when the ‘scripts’ parameter contained ‘..’, blocked processing of the input and instead displayed ‘hacking attempt’ to the user.

This output, from the function, contained . Yibelo resolved to bypass , which searches for the first occurrence of a string inside another string.

He first sought to trick PHP into treating characters other than dots as ‘.’, but this foundered on the fact that PHP doesn’t normalize any of its characters to dots.

Then the researcher alighted on the idea of bypassing , a case-insensitive alternative to , by finding unique characters that C language, in which PHP is written, processes as a dot when lower-cased.

Read more of the latest security research news

This route “didn’t yield any useful results but we did find some weird quirky behaviors worthy of future posts”, reads a blog post published by Yibelo for Octagon Networks, a team of researchers he recently co-founded.

Joining the dots

Tricking PHP into thinking that no consecutive dots (..) were present did prove fruitful, however, with fuzzing surfacing a bypass – /.%00./ – for the LFI check (CVE-2021-45467).

“Most [of] PHP’s functions in CWP (including the and functions) seem to process /.%00./ as /../ – similarly, while ignores the null bytes, it still counts its size so it bypasses the check,” he explained.

The file inclusion bug meant he could send a request that forced the server to register any API key he wanted, enabling him to write to .txt files. (CVE-2021-45466).

The resulting RCE chain is visualized in the video below:

https://youtu.be/ibe66aUtThs

Patches

Yibelo bypassed an initial fix for the file inclusion bug, which attempted to detect if a null byte was sandwiched between dots, by simply adding further null bytes.

The researcher said some servers appeared to have been exploited via reversals of this patch.

Yibelo told The Daily Swig that the CWP maintainers rolled out a further patch “in their latest version with a better way to find and delete null bytes: .”

Replication problems have been flagged on Reddit. Yibelo said that, so far, the security issues appear to be CWP-specific.

The researcher said he would publish a full proof of concept “once enough servers migrate to the latest version”.

RELATED Chain of vulnerabilities led to RCE on Cisco Prime servers

Read Entire Article