Headline
CVE-2019-13359: CentOS-Control-Web-Panel-CVE/CVE-2019-13359.md at master · i3umi3iei3ii/CentOS-Control-Web-Panel-CVE
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory, and use it to become the root user.
Information
Product : CWP Control Web Panel
Vulnerability Name : Root Privilege Escalation
version : 0.9.8.836
Fixed on : 0.9.8.840
Test on : CentOS 7.6.1810 (Core)
Reference : http://centos-webpanel.com/
: https://control-webpanel.com/changelog
CVE-Number : CVE-2019-13359
Description
The vulnerability allows low privilege users to escalate themself to become a root user by crafting a session file from testing environment and upload to the target server at /tmp directory
State 1 Session prepareation (Testing Environment)
- Check the current IP address of attacker
- Set the IP address on testing environment network
- Login as root on port 2031/2087 and save the cookie name from web browser (cwsrp-xxxxxxxxxxxxxxxxxxxxx)
- Copy the content of session file (/tmp/sess_xxxxxxxxxxxxxx) to a new file “sess_123456” # we need “rkey”
- Save the token value from the session file (cwp_24a7ebcfc91fc0817cc8961b115c8cd0)
State 2 Attack the target
- On the real target, login as a normal user on port 2083 and upload file “sess_123456” to /tmp directory
Login
Upload sess_123456 file
Intercept the request
Modify the parameter “fm_current_dir” value to “/tmp/”
Upload successfully
- On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php and create cookie name “cwsrp-xxxxxxxxxxxxxxxxxxxxx” and set its value to “123456” (sess_123456)
- Refresh browser and got root
Root panel
Check the file sess_123456
Web console
*From step 6 - 8, we need to complete it quickly. if we do it too slow, the application will change the permission of file sess_123456 to 600 and the file will become 0 byte. If this happened, we need to change session file name and repeat the steps again. To avoid the problem, set crontab and execute it
* * * * * chmod 664 /tmp/sess_123456"
Timeline
2019-06-30: Discovered the bug
2019-06-30: Reported to vendor
2019-06-30: Vender accepted the vulnerability
2019-07-02: The vulnerability has been fixed
2019-07-06: Published
Discovered by
Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak