Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-13359: CentOS-Control-Web-Panel-CVE/CVE-2019-13359.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory, and use it to become the root user.

CVE
Open in Source
#vulnerability#web#php#jira

Information

Product             : CWP Control Web Panel
Vulnerability Name  : Root Privilege Escalation
version             : 0.9.8.836
Fixed on            : 0.9.8.840
Test on             : CentOS 7.6.1810 (Core)
Reference           : http://centos-webpanel.com/
                    : https://control-webpanel.com/changelog
CVE-Number          : CVE-2019-13359

Description

The vulnerability allows low privilege users to escalate themself to become a root user by crafting a session file from testing environment and upload to the target server at /tmp directory

State 1 Session prepareation (Testing Environment)

  1. Check the current IP address of attacker
  1. Set the IP address on testing environment network
  1. Login as root on port 2031/2087 and save the cookie name from web browser (cwsrp-xxxxxxxxxxxxxxxxxxxxx)
  1. Copy the content of session file (/tmp/sess_xxxxxxxxxxxxxx) to a new file “sess_123456” # we need “rkey”
  1. Save the token value from the session file (cwp_24a7ebcfc91fc0817cc8961b115c8cd0)

State 2 Attack the target

  1. On the real target, login as a normal user on port 2083 and upload file “sess_123456” to /tmp directory

Login

Upload sess_123456 file

Intercept the request

Modify the parameter “fm_current_dir” value to “/tmp/”

Upload successfully

  1. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php and create cookie name “cwsrp-xxxxxxxxxxxxxxxxxxxxx” and set its value to “123456” (sess_123456)
  1. Refresh browser and got root

Root panel

Check the file sess_123456

Web console

*From step 6 - 8, we need to complete it quickly. if we do it too slow, the application will change the permission of file sess_123456 to 600 and the file will become 0 byte. If this happened, we need to change session file name and repeat the steps again. To avoid the problem, set crontab and execute it

* * * * * chmod 664 /tmp/sess_123456"

Timeline

2019-06-30: Discovered the bug
2019-06-30: Reported to vendor
2019-06-30: Vender accepted the vulnerability
2019-07-02: The vulnerability has been fixed
2019-07-06: Published

Discovered by

Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE