Fatal errors in Web console show Linux server vulnerable to RCE attacks

Researchers have revealed details of two critical security vulnerabilities in the Control Web Panel that could be abused as part of an exploit chain to execute pre-authenticated remote code on affected servers .

Tracked as CVE-2021-45467, the issue concerns a case of file inclusion vulnerability, which occurs when a web application is tricked into exposing or running arbitrary files on a web server.

Control Web Panel, formerly CentOS Web Panel, is a Linux control panel software Source code Open is used to deploy web hosting environments.

Specifically, the problem arises when two of the unauthenticated PHP pages used in the application – “/user/login.php” and “/user/index.php” – do not fully validate the path to the script file, according to Octagon Networks’ Paulos Yibelo, who discovered and reported the flaws.

This means that to exploit the vulnerability, all an attacker has to do is change the include statement, which is used to inject the contents of one PHP file into another, to inject malicious code from one PHP file into another. remote resources and gain code. executive.

Interestingly, while the app has protections to flag attempts to switch to the parent directory (denoted by “..”) as an “attack attempt”, it does nothing to stop the process. the PHP interpreter accepts a specially crafted string such as “. $00.” and effectively get through the whole thing.

Not only does this allow bad actors to access restricted API endpoints, it can be used in conjunction with the arbitrary file write vulnerability (CVE-2021-45466) for full remote code execution on the server. as follows:

Send a payload that includes a file that is given null bytes to add a malicious API key Use an API key to write to the file (CVE-2021-45466) Use step #1 to include the file we just wrote to (CVE- 2021-45467)

Following responsible disclosure, the flaws were resolved by the CWP maintainers along with updates sent earlier this month.

.