Earlier this 12 months, researchers at Immersive Labs responsibly disclosed a number of vulnerabilities in Centos Web Panel, which was not too long ago rebranded as Control Web Panel (CWP).
The vulnerabilities we found allowed malicious actors to take over accounts and run instructions as root on weak servers. There had been a whole bunch of hundreds of them on-line – hundreds of thousands of internet sites might have been affected.
Fully patched and completely secure now, MITRE assigned the next CVEs for the vulnerabilities we reported:
- CVE-2022-25046: Path traversal vulnerability resulting in distant code execution (RCE)
- CVE-2022-25047: Account hijack by way of the password reset token
- CVE-2022-25048: As a typical consumer execute instructions in the context of root
What is CWP?
CWP is a shared internet hosting platform constructed to run on CentOS servers. It’s shared internet hosting companies imply that even a single net server operating CWP can host many web sites.
The server operator creates normal consumer accounts for every new buyer – successfully giving them their very own slice of the sources on the shared server.
As with most issues, there are execs and cons to this type of setup. The constructive facet is the monetary profit; month-to-month operating prices for each the operator and the shopper are low as a result of a single server is able to operating hundreds of internet sites.
The downsides are that if the one host goes down, so too does each web site it hosts. Even extra regarding nonetheless, is that if the principle host will get compromised, so will each account that’s provisioned on the server.
Shodan exhibits there are roughly 185,000 energetic CWP servers on the web. Each one possible runs between 10 and 100 web sites, which means any vulnerability on the underlying server software program might influence hundreds of thousands of particular person web sites.
CWP caters to non-public and small enterprise accounts slightly than giant enterprises. But a large “watering gap” assault would nonetheless have a pretty big potential menace floor.
Attackers exploiting these vulnerabilities at scale might infect hundreds of thousands of internet sites with credential harvesting malware or goal cost portals to intercept or modify banking particulars.
At the time of writing, all of the reported vulnerabilities have been patched by the workforce at CWP.
In its default configuration, CWP is ready to mechanically apply updates at common frequencies, which means that every one CWP cases must be absolutely patched until updates have been forcibly disabled.
To test your put in model, SSH onto the goal server and run the next command:
cat / path to model.php
How we found them
The subsequent few paragraphs will go right into a bit extra technical element about how we found the vulnerabilities, in addition to how they work.
CVE-2022-25046: Path traversal vulnerability resulting in distant code execution
Back in January, Octagon published a blog post discussing a CVE that chained two outdated vulnerabilities collectively to attain pre-authenticated RCE. When we took a more in-depth take a look at the best way the vulnerabilities labored, we realized they solely affected an older model of the applying. In reality, many of the capabilities talked about not existed.
So we seemed deeper on the mitigations on the Octagon publish. We noticed that the code on the most recent model had been additional modified, with the addition of
strip_tags. These capabilities are designed to cease XSS assaults by filtering and eradicating HTML tags which can be regularly used for them.
However, the unintended aspect impact of this additional safety implies that we now have a brand new (and trivial) methodology to bypass the listing traversal filtering.
In this perform, the primary test is for a string comparability that appears for
.., and checks to see if the null byte trick is getting used – as reported by Octagon.
From right here, the perform removes any whitespace from the ends, replaces any null bytes, then filters an HTML.
Then comes the difficulty. If you ship a string like
variable=../, the primary test is okay as
.. isn’t current. But after the ultimate strip tags, you’re left with
With a technique to bypass the checks, now you can carry out a typical listing traversal assault.
We looked for current capabilities that could possibly be used to run OS instructions, and really found a command injection vulnerability that we chained along with the filter bypass to achieve code execution.
PoC scripts could be found on the Immersive Labs GitHub.
CVE-2022-25047: Account hijack by way of the password reset token
When reviewing the authentication flows utilized by CWP, we seen that the password reset token technology didn’t embody any parts that had been secret or random. In reality, each aspect of the password reset token could possibly be calculated in case you had the e-mail tackle and username of any given consumer, which is simply as unlucky because it sounds.
To exploit this vulnerability, all an attacker must do is set off a legitimate password reset for a identified account and intercept the response. The server response will include the date and time that that password reset was requested. The date returned by the server will match inside just a few milliseconds the date that was used to generate the reset token.
This reset token can now be used to set a brand new password for the account with no need entry to the goal’s e-mail account.
Check out our PoC script here.
It’s price noting that this assault gained’t work for the foundation account, as a substitute producing and sending a password reset e-mail to the consumer account. Although, as with most password resets, it does say you may ignore this e-mail in case you didn’t provoke the reset.
CVE-2022-25048: As a typical consumer execute instructions in the context of root
Because CWP is a shared internet hosting platform, there are numerous website directors which can be given entry to handle their a part of the server. They ought to solely be capable of work together with the information and configuration of their domains and never anybody else’s.
During our analysis, we had been in a position to establish a number of cases of command injection vulnerabilities that may enable any normal consumer account to run instructions as root and due to this fact achieve entry to the total system.
In every instance the trigger is similar: enter information from the consumer is used to create a shell command that’s then executed in the context of the foundation account.
We reported the vulnerabilities to the CWP workforce as quickly as we confirmed our findings had been legitimate. The builders had been fast to reply and labored with us to patch and check all of the fixes that had been launched.
CWP has an aggressive computerized replace course of that features pressured expiry of cases that aren’t stored updated. The pressured expiry date for all weak variations has now handed, which is why we selected to publish these particulars in full now, and never sooner.
CWP provided us a bounty for disclosing the vulnerabilities responsibly. Instead, we requested it to make a donation to Save the Children in assist of Ukraine – and it did.