Critical bugs in Control Web Panel expose Linux servers to RCE attacks


Researchers have revealed details of two critical security vulnerabilities in Web control panel that could be exploited as part of an exploit chain to achieve pre-authenticated remote code execution on affected servers.

Tracked as CVE-2021-45467, the question concerns a case of file inclusion vulnerability, which occurs when a web application is tricked into exposing or executing arbitrary files on the web server.

Control Web Panel, formerly CentOS Web Panel, is an open source Linux control panel software used to deploy web hosting environments.

Automatic GitHub backups

Specifically, the issue arises when two of the unauthenticated PHP pages used in the application – “/user/login.php” and “/user/index.php” – fail to correctly validate a path to a script file. , according to Octagon Security. Paulos Yibelo, who discovered and reported the defects.

This means that to exploit the vulnerability, all an attacker needs to do is modify the include a statement, which is used to embed the contents of a PHP file into another PHP file, to inject malicious code from a remote resource and achieve code execution.

Interestingly, although the app had protections in place to flag attempts to switch to a parent directory (denoted by “..”) as a “hack attempt”, it did nothing to prevent the PHP interpreter to accept a specially crafted string like “.$00.” and the effective achievement of a complete bypass.

Prevent data breaches

This not only allows a malicious actor to access restricted API endpoints, but can also be used in conjunction with an arbitrary file write vulnerability (CVE-2021-45466) to get full remote code execution on the server as follows:

  • Send null-powered file include payload to add malicious API key
  • Use API key to write to a file (CVE-2021-45466)
  • Use step 1 to include the file we just wrote to (CVE-2021-45467)

Following responsible disclosure, the flaws have since been patched by CWP officials as well as updates shipped earlier this month.


Comments are closed.