Two critical security vulnerabilities in Control Web Panel potentially expose Linux servers to remote code execution attacks
Researchers from Octagon Networks disclosed details of two critical security flaws in Control Web Panel that potentially expose Linux servers to remote code execution attacks.
Control Web Panel is a popular open-source Linux control panel for servers and VPS that allows easy management of web hosting environments.
An attacker could chain the vulnerabilities to achieve pre-authenticated remote code execution on vulnerable Linux servers.
The first issue, tracked as CVE-2021-45467, is a file inclusion vulnerability that occurs when a web application is tricked into exposing or running arbitrary files on the webserver.
Experts focused their analysis on vulnerabilities that can be exploited by unauthenticated users or through zero-click attacks, in particular, they tested sections of the panel that are exposed without authentication in the webroot, including /user/loader.php and /user/index.php.
The expert Paulos Yibelo from Octagon Networks discovered that several PHP’s functions (including the require() and include() functions) seem to process /.%00./ as /../. Protections implemented in the application don’t allow to switch to a parent directory (using “..”) but they allow the PHP interpreter to accept a specially crafted string such as “.$00.” that allows bypassing any restriction,
Similarly, while stristr() ignores the null bytes, it still counts its size so it bypasses the check.
This means that it is possible to include any file on the server, if an attacker finds a way to write to a file, it can get preauth RCE.
Despite unix file r/w locking settings in CWP, an attacker can exploit the file inclusion bug to reach the restricted API section, which requires API key to access and is not exposed in the webroot.
Chaining this flaw with an arbitrary file writes vulnerability such as the CVE-2021-45466 flaw, an attacker can gain full remote code execution on the server.
“But by using our file inclusion, sending a request like the following will result in the server registering any API key we want.” explained the expert.GET https://CWP/user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi&ip=192.168.1.1&keyapi=OCTAGON
“Now we have added the api key “OCTAGON” requesting from 192.168.1.1 to have access to the full API like the following:GET https://CWP/api/?key=OCTAGON&api=add_server is now a valid API request.
The expert found a way to exploit a file write bug in the API section that allowed him to a .TXT file. For example, using a maliciously added key.
That will write to a file called authorized_keys located in the /resources/ folder. Then, using the first file inclusion bug the expert includes it malicious authorized_keys file to get full RCE.
The CWP maintainers have already addressed the flaw with security updates released this month.
(SecurityAffairs – hacking, Control Web Panel)