We discovered major vulnerabilities in Control Web Panel. Here’s how we found them.


Earlier this year, Immersive Labs researchers responsibly disclosed several vulnerabilities in Centos Web Panel, which was recently renamed Control Web Panel (CWP).

The vulnerabilities we found allowed malicious actors to take control of accounts and execute commands as root on vulnerable servers. There were hundreds of thousands of them online – millions of websites could have been affected.

Fully patched and completely safe now, MITER has assigned the following CVEs for the vulnerabilities we reported:

  • CVE-2022-25046: Remote Code Execution (RCE) Path Traversal Vulnerability
  • CVE-2022-25047: account takeover via password reset token
  • CVE-2022-25048: As a standard user, run commands in the context of root

What is CWP?

CWP is a shared hosting platform designed to run on CentOS servers. Its shared hosting services mean that even a single web server running CWP can host many websites.

The server operator creates standard user accounts for each new client, giving them their own share of resources on the shared server.

As with most things, there are pros and cons to this type of setup. The positive aspect is the financial benefit; monthly operating costs for the operator and the client are low because a single server is able to manage thousands of websites.

The downsides are that if the single host goes down, so do all the websites it hosts. However, what is even more concerning is that if the main host is compromised, so will all the accounts provisioned on the server.

Impact

Shodan shows that there are around 185,000 active CWP servers on the internet. Each probably runs between 10 and 100 websites, meaning any vulnerability in the underlying server software could impact millions of individual websites.

CWP is aimed at individuals and small businesses rather than large corporations. But a wide “water point” attack would still have a fairly large potential threat surface.

Attackers exploiting these large-scale vulnerabilities could infect millions of websites with credential-harvesting malware or target payment portals to intercept or modify banking information.

Mitigation

At the time of writing, all reported vulnerabilities have been patched by the CWP team.

In its default configuration, CWP is able to automatically apply updates at regular frequencies, which means that all CWP instances should be fully patched unless updates have been forcibly disabled.

To check your installed version, SSH into the target server and run the following command:
cat / path to version.php

How we found them

The next few paragraphs will go into a bit more technical detail about how we found the vulnerabilities, as well as how they work.

CVE-2022-25046: path traversal vulnerability leading to remote code execution

In January, Octagon published a blog post about a CVE that chained together two old vulnerabilities to achieve a pre-authenticated RCE. When we took a closer look at how the vulnerabilities worked, we realized that they only affected an older version of the app. In fact, most of the functions mentioned no longer existed.

So we took a deeper look at the attenuations on the Octagon post. We noticed that the code of the latest version has been changed again, with the addition of htmlspecialchars and strip_tags. These functions are designed to stop XSS attacks by filtering and stripping frequently used HTML tags from them.

However, the unintended side effect of this extra security means we now have a new (and trivial) way to bypass directory traversal filtering.

In this function, the first check is for a string comparison that looks for ..and checks if the null byte trick is used – as stated by Octagon.

From there, the function removes any trailing white space, replaces any null bytes, and then filters out an HTML code.

Then comes the problem. If you send a string like variable=../the first check is correct because .. is not present. But after the last tape tags, you’re left variable=../../.

With a way to bypass the checks, you can now perform a standard directory traversal attack.

We searched for existing functions that could be used to execute operating system commands and in fact found a command injection vulnerability which we chained with bypassing the filter to achieve code execution.

PoC scripts can be found on the Immersive Labs GitHub.

CVE-2022-25047: account takeover via password reset token

When examining the authentication flows used by CWP, we noticed that the generation of the password reset token did not include any secret or random elements. In fact, every piece of the password reset token could be calculated if you had a given user’s email address and username, which is just as unfortunate as that sounds.

To exploit this vulnerability, all an attacker needs to do is trigger a valid password reset for a known account and intercept the response. The server response will contain the date and time the password reset was requested. The date returned by the server will match within milliseconds the date that was used to generate the reset token.

This reset token can now be used to set a new password for the account without needing to access the target’s email account.

Check out our PoC script here.

It should be noted that this attack will not work for the root account, instead generating and sending a password reset email to the user account. However, as with most password resets, it says you can ignore this email if you haven’t initiated the reset.

CVE-2022-25048: As a standard user, run commands in the context of root

Since CWP is a shared hosting platform, many site administrators have access to manage their portion of the server. They should only be able to interact with their domains’ files and configuration and not someone else’s.

During our research, we were able to identify several instances of command injection vulnerabilities that would allow any standard user account to execute commands as root and thus gain full system access.

In each example, the cause is the same: user input data is used to create a shell command which is then executed in the context of the root account.

Disclosure

We reported the vulnerabilities to the CWP team as soon as we confirmed the validity of our findings. The developers responded quickly and worked with us to fix and test all the fixes that were released.

CWP has an aggressive auto-update process that includes forced expiration of instances that are not kept up to date. The forced expiration date for all vulnerable versions has now passed, which is why we’ve chosen to publish these details in full now, and not sooner.

CWP offered us a bounty for responsibly disclosing the vulnerabilities. Instead, we asked him to donate to Save the Children to support Ukraine – and he did.

Previous International product sourcing consultants and the legal risks they face
Next Newly launched VBlazor.com supports developers using state-of-the-art Blazor WebAssembly