Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Information

Product             : CWP Control Web Panel
Vulnerability Name  : Root Privilege Escalation
version             : 0.9.8.836
Fixed on            : 0.9.8.840
Test on             : CentOS 7.6.1810 (Core)
Reference           : http://centos-webpanel.com/
                    : https://control-webpanel.com/changelog
CVE-Number          : CVE-2019-13359

Description

The vulnerability allows low privilege users to escalate themself to become a root user by crafting a session file from testing environment and upload to the target server at /tmp directory


State 1 Session prepareation (Testing Environment)

  1. Check the current IP address of attacker


  1. Set the IP address on testing environment network


  1. Login as root on port 2031/2087 and save the cookie name from web browser (cwsrp-xxxxxxxxxxxxxxxxxxxxx)


  1. Copy the content of session file (/tmp/sess_xxxxxxxxxxxxxx) to a new file "sess_123456" # we need "rkey"


  1. Save the token value from the session file (cwp_24a7ebcfc91fc0817cc8961b115c8cd0)



State 2 Attack the target

  1. On the real target, login as a normal user on port 2083 and upload file "sess_123456" to /tmp directory

Login


Upload sess_123456 file


Intercept the request


Modify the parameter "fm_current_dir" value to "/tmp/"


Upload successfully


  1. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php and create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456)


  1. Refresh browser and got root

Root panel


Check the file sess_123456


Web console


*From step 6 - 8, we need to complete it quickly. if we do it too slow, the application will change the permission of file sess_123456 to 600 and the file will become 0 byte. If this happened, we need to change session file name and repeat the steps again. To avoid the problem, set crontab and execute it

* * * * * chmod 664 /tmp/sess_123456" 



Timeline

2019-06-30: Discovered the bug
2019-06-30: Reported to vendor
2019-06-30: Vender accepted the vulnerability
2019-07-02: The vulnerability has been fixed
2019-07-06: Published

Discovered by

Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak