Skip to content
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

141 lines (81 sloc) 3.3 KB


Product             : CWP Control Web Panel
Vulnerability Name  : Root Privilege Escalation
version             :
Fixed on            :
Test on             : CentOS 7.6.1810 (Core)
Reference           :
CVE-Number          : CVE-2019-13359


The vulnerability allows low privilege users to escalate themself to become a root user by crafting a session file from testing environment and upload to the target server at /tmp directory

State 1 Session prepareation (Testing Environment)

  1. Check the current IP address of attacker

  1. Set the IP address on testing environment network

  1. Login as root on port 2031/2087 and save the cookie name from web browser (cwsrp-xxxxxxxxxxxxxxxxxxxxx)

  1. Copy the content of session file (/tmp/sess_xxxxxxxxxxxxxx) to a new file "sess_123456" # we need "rkey"

  1. Save the token value from the session file (cwp_24a7ebcfc91fc0817cc8961b115c8cd0)

State 2 Attack the target

  1. On the real target, login as a normal user on port 2083 and upload file "sess_123456" to /tmp directory


Upload sess_123456 file

Intercept the request

Modify the parameter "fm_current_dir" value to "/tmp/"

Upload successfully

  1. On another browser, replace the token value in the URL https://[]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php and create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456)

  1. Refresh browser and got root

Root panel

Check the file sess_123456

Web console

*From step 6 - 8, we need to complete it quickly. if we do it too slow, the application will change the permission of file sess_123456 to 600 and the file will become 0 byte. If this happened, we need to change session file name and repeat the steps again. To avoid the problem, set crontab and execute it

* * * * * chmod 664 /tmp/sess_123456" 


2019-06-30: Discovered the bug
2019-06-30: Reported to vendor
2019-06-30: Vender accepted the vulnerability
2019-07-02: The vulnerability has been fixed
2019-07-06: Published

Discovered by

Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
You can’t perform that action at this time.