Product : CWP Control Web Panel Vulnerability Name : Root Privilege Escalation version : 0.9.8.836 Fixed on : 0.9.8.840 Test on : CentOS 7.6.1810 (Core) Reference : http://centos-webpanel.com/ : https://control-webpanel.com/changelog CVE-Number : CVE-2019-13359
The vulnerability allows low privilege users to escalate themself to become a root user by crafting a session file from testing environment and upload to the target server at /tmp directory
State 1 Session prepareation (Testing Environment)
- Check the current IP address of attacker
- Set the IP address on testing environment network
- Login as root on port 2031/2087 and save the cookie name from web browser (cwsrp-xxxxxxxxxxxxxxxxxxxxx)
- Copy the content of session file (/tmp/sess_xxxxxxxxxxxxxx) to a new file "sess_123456" # we need "rkey"
- Save the token value from the session file (cwp_24a7ebcfc91fc0817cc8961b115c8cd0)
State 2 Attack the target
- On the real target, login as a normal user on port 2083 and upload file "sess_123456" to /tmp directory
Upload sess_123456 file
Intercept the request
Modify the parameter "fm_current_dir" value to "/tmp/"
- On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php and create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456)
- Refresh browser and got root
Check the file sess_123456
*From step 6 - 8, we need to complete it quickly. if we do it too slow, the application will change the permission of file sess_123456 to 600 and the file will become 0 byte. If this happened, we need to change session file name and repeat the steps again. To avoid the problem, set crontab and execute it
* * * * * chmod 664 /tmp/sess_123456"
2019-06-30: Discovered the bug 2019-06-30: Reported to vendor 2019-06-30: Vender accepted the vulnerability 2019-07-02: The vulnerability has been fixed 2019-07-06: Published
Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak