CyberPanel Authenticated OS Command Injection
CyberPanel versions < 2.3.8 are vulnerable to an OS command injection. To exploit the vulnerability the attacker is required to firstly login to the webpanel.
CyberPanel 2.3.7
An attacker can use a HTTP OPTIONS request to instruct the webserver running the CyberPanel application to execute arbitrary commands. This vulnerability lies in the /websites/submitWebsiteCreation endpoint.
This endpoint calls the submitWebsiteCreation function in the /websiteFunctions/views.py file location.
This function further calls the wm.submitWebsiteCreation function found in the /websiteFunctions/website.py file. This function extracts five parameters which are used within the function:
- domain;
- adminEmail;
- phpSelection;
- packageName;
- websiteOwner;
These parameters are later parsed directly to a function that executes these:
The Proof-of-Concept (PoC) code can be found in the cyberpanel.py file that is linked in this repo.
This Proof-of-Concept can be used to write files with root level permissions, anywhere on the system:
This could result in a complete device compromise. If the device's CyberPanel installation folder is accessible, data can be more easily extracted through the web panel.
The writeup which outlines the discovery process of the exploit will become available at: https://thottysploity.github.io/posts/cve-2024-53376
30.10.2024 - Identified vulnerability
31.10.2024 - Contacted Usman Nasir, owner of CyberPanel
02.11.2024 - Usman fixed the issue and published a fix
03.11.2024 - Requested CVE-ID from MITRE
23.11.2024 - MITRE reserved CVE-ID 2024-53376