Researchers have discovered two critical bugs in Control Web Panel (CWP) – a popular web hosting management software used by 200,000+ servers – that could allow for remote code execution (RCE) as root on vulnerable Linux servers.
CWP, formerly known as CentOS Web Panel, is an open-source Linux control panel software used for creating and managing web-hosting environments. The software supports the operating systems CentOS, Rocky Linux, Alma Linux and Oracle Linux.
The two vulnerabilities – found by Octagon Networks’ Paulos Yibelo – are tracked as CVE-2021-45467 (a file-inclusion vulnerability) and CVE-2021-45466 (a file-write bug). When chained, the two vulnerabilities can lead to RCE.
Exploitable Without Authentication
The problems are found in parts of the CWP panel that are exposed without authentication in the webroot, according to Octagon’s writeup.
“Turns out, not a lot is exposed,” the researchers wrote, but they found a few things. Specifically, the two specific pages Octagon focused on are /user/loader.php and /user/index.php, which have the following file inclusion protection method (/user/loader.php):
Which is a method that defines GETSecurity() as the following:
In order to exploit the vulnerability and inject malicious code from a remote resource, an attacker would simply need to alter the include statement, which is used to insert the content of one PHP file into another PHP file before the server executes it.
To do so requires bypassing security protections to prevent attackers from reaching the restricted API section without authentication: a feat that can be accomplished by registering an API key using the file-inclusion bug and creating a malicious authorized_keys file on the server using the file-write flaw.
It’s not that CWP lacked protections that flag efforts to switch to a parent directory. If a parameter script contains “..” – as in, two dots – the app flags it as a “hacking attempt” and abstains from processing the input.
But that protection didn’t stop the PHP interpreter from accepting a specially crafted string and effectively achieving a full bypass – by fooling PHP “into thinking there are no consecutive dots (..),” the researchers explained.
Running the fuzzer depicted below got the Octagon researchers the bypass string /.%00./.
How it’s done, researchers explained:
- Send a null byte powered file inclusion payload to add malicious API key
- Use API key to write to a file (CVE-2021-45466)
- Use step #1 to include the file we just wrote into (CVE-2021-45467)
The CVE-2021-45467 file-inclusion vulnerability was patched, but Octagon researchers said that they still saw how “some managed to reverse the patch and exploit some servers.” They shared the following video demonstrating the issue:
Octagon will be be releasing a full proof of concept for achieving the pre-auth RCE “once enough servers migrate to the latest version,” according to the report.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.