Control Web Panel: Critical bugs expose Linux servers to RCE attacks

Panneau Web CentOS News

Researchers revealed details about two security flaws in Control Webpanel . These vulnerabilities could be exploited as part of an exploit sequence to gain remote code execution pre-authenticated on the affected servers.

Tracked as CVE-2021-45467, the issue concerns a case of a file inclusion vulnerability, which occurs when a web application is tricked into exposing or running arbitrary files on the web server.

Control Web Panel (previously CentOS Web Panel) is an open-source Linux control software that can be used to deploy web hosting environments.

Specifically, the issue arises when two of the unauthenticated PHP pages used in the application — “/user/login.php” and “/user/index.php” — fail to adequately validate a path to a script file, according to Octagon Networks’ Paulos Yibelo, who discovered and reported the flaws.

This means that in order to exploit the vulnerability, all an attacker has to do is to alter the include statement, which is used to include the content of one PHP file into another PHP file, to inject malicious code from a remote resource and achieve code execution.

Interestingly, while the application had protections in place to flag efforts to switch to a parent directory (denoted by “..”) as a “hacking attempt” it did nothing to prevent the PHP interpreter from accepting a specially crafted string such as “.$00.” This effectively allowed the application to bypass all security measures.

This not only allows a bad actor to access restricted API endpoints, it can be used in conjunction with an arbitrary file write vulnerability (CVE-2021-45466) to gain full remote code execution on the server as follows —

  • Send a null byte powered file inclusion payload to add malicious API key
  • Use API key to write to a file (CVE-2021-45466)
  • Use step #1 to include the file we just wrote into (CVE-2021-45467)

Following responsible disclosure, the flaws have since been addressed by the CWP maintainers along with updates shipped earlier this month.

Rate author