Researchers at Octagon Networks announced that they have found two critical vulnerabilities, CVE-2021-45467 and CVE-2021-45466 in Control Web Panel, also known as CentOS Web Panel, which is installed in more than 200,000 unique servers. The vulnerability chain allows an attacker to exploit a full pre-auth remote command execution as the root uses file inclusion and file write vulnerabilities.
The attack surface
The researchers hosted CWP on a local environment and focused on vulnerabilities that can be exploited without user authentication or interaction. The /user/loader.php and /user/index.php can be accessed without authentication and had a file inclusion protection method, /user/loader.php.
<?php
if(!empty($_GET["api"])) {
…
if (!empty($_GET["scripts"])) {
$_GET["scripts"] = GETSecurity($_GET["scripts"]);
include "../../resources/admin/scripts/" . $_GET["scripts"] . ".php";
}
…
And GERSecurity() defined as:
function GETSecurity($variable)
{
if (stristr($variable, ".." ) {
exit("hacking attempt");
}
}
If “scripts” contains “..” then the application will not process the input and will instead exit by displaying the “hacking attempt” message. stristr() is basically the same function as strstr() in PHP except it isn’t case sensitive. Potential methods of bypassing stristr() are:
- 1. Trick PHP to treat other characters as dot (.)
- 2. Find unique characters the language C processes as a dot (.) when lower cased.
- 3. Trick PHP into thinking there are no consecutive dots (..)