关联漏洞
标题:
CyberPanel 安全漏洞
(CVE-2024-53376)
描述:CyberPanel是Usman Nasir个人开发者的一款内置了DNS和电子邮件服务器的虚拟主机控制面板。 CyberPanel 2.3.8之前版本存在安全漏洞。攻击者利用该漏洞可以通过 phpSelection 字段中的 shell 元字符对 website/submitWebsiteCreation URI 执行任意命令。
描述
CyberPanel authenticated RCE < 2.3.8
介绍
# CVE-2024-53376
CyberPanel Authenticated OS Command Injection
### Affected Devices
CyberPanel versions < 2.3.8 are vulnerable to an OS command injection. To exploit the vulnerability the attacker is required to firstly login to the webpanel.
### Tested With
CyberPanel 2.3.7
### Technical details
An attacker can use a HTTP OPTIONS request to instruct the webserver running the CyberPanel application to execute arbitrary commands. This vulnerability lies in the /websites/submitWebsiteCreation endpoint.
This endpoint calls the submitWebsiteCreation function in the /websiteFunctions/views.py file location.
<p align="center"> <img src="https://github.com/ThottySploity/CVE-2024-53376/blob/main/images/submitWebsiteCreation_views.png" alt="Toplevel function" /> </p>
This function further calls the `wm.submitWebsiteCreation` function found in the /websiteFunctions/website.py file. This function extracts five parameters which are used within the function:
- domain;
- adminEmail;
- phpSelection;
- packageName;
- websiteOwner;
<p align="center"> <img src="https://github.com/ThottySploity/CVE-2024-53376/blob/main/images/submitWebsiteCreation_part1.png" alt="Toplevel function" /> </p>
These parameters are later parsed directly to a function that executes these:
<p align="center"> <img src="https://github.com/ThottySploity/CVE-2024-53376/blob/main/images/submitWebsiteCreation_part2.png" alt="Toplevel function" /> </p>
The Proof-of-Concept (PoC) code can be found in the cyberpanel.py file that is linked in this repo.
### PoC
This Proof-of-Concept can be used to write files with root level permissions, anywhere on the system:
<p align="center"> <img src="https://github.com/ThottySploity/CVE-2024-53376/blob/main/images/writing_into_root.png" alt="Toplevel function" /> </p>
This could result in a complete device compromise. If the device's CyberPanel installation folder is accessible, data can be more easily extracted through the web panel.
### Writeup
The writeup which outlines the discovery process of the exploit will become available at: https://thottysploity.github.io/posts/cve-2024-53376
### Timeline
30.10.2024 - Identified vulnerability
31.10.2024 - Contacted Usman Nasir, owner of CyberPanel
02.11.2024 - Usman fixed the issue and published a fix
03.11.2024 - Requested CVE-ID from MITRE
23.11.2024 - MITRE reserved CVE-ID 2024-53376
文件快照
[4.0K] /data/pocs/01b8978d7077c58278f4894d4145e5708d86d0c7
├── [2.8K] cyberpanel.py
├── [4.0K] images
│ ├── [ 23K] submitWebsiteCreation_part1.png
│ ├── [ 54K] submitWebsiteCreation_part2.png
│ ├── [ 37K] submitWebsiteCreation_views.png
│ └── [ 42K] writing_into_root.png
└── [2.4K] README.md
1 directory, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。