Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

141 lines (81 sloc) 3.3 KB

Information

Product             : CWP Control Web Panel
Vulnerability Name  : Root Privilege Escalation
version             : 0.9.8.836
Fixed on            : 0.9.8.840
Test on             : CentOS 7.6.1810 (Core)
Reference           : http://centos-webpanel.com/
                    : https://control-webpanel.com/changelog
CVE-Number          : CVE-2019-13359

Description

The vulnerability allows low privilege users to escalate themself to become a root user by crafting a session file from testing environment and upload to the target server at /tmp directory


State 1 Session prepareation (Testing Environment)

  1. Check the current IP address of attacker


  1. Set the IP address on testing environment network


  1. Login as root on port 2031/2087 and save the cookie name from web browser (cwsrp-xxxxxxxxxxxxxxxxxxxxx)


  1. Copy the content of session file (/tmp/sess_xxxxxxxxxxxxxx) to a new file "sess_123456" # we need "rkey"


  1. Save the token value from the session file (cwp_24a7ebcfc91fc0817cc8961b115c8cd0)



State 2 Attack the target

  1. On the real target, login as a normal user on port 2083 and upload file "sess_123456" to /tmp directory

Login


Upload sess_123456 file


Intercept the request


Modify the parameter "fm_current_dir" value to "/tmp/"


Upload successfully


  1. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php and create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456)


  1. Refresh browser and got root

Root panel


Check the file sess_123456


Web console


*From step 6 - 8, we need to complete it quickly. if we do it too slow, the application will change the permission of file sess_123456 to 600 and the file will become 0 byte. If this happened, we need to change session file name and repeat the steps again. To avoid the problem, set crontab and execute it

* * * * * chmod 664 /tmp/sess_123456" 



Timeline

2019-06-30: Discovered the bug
2019-06-30: Reported to vendor
2019-06-30: Vender accepted the vulnerability
2019-07-02: The vulnerability has been fixed
2019-07-06: Published

Discovered by

Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
You can’t perform that action at this time.