CentOS have Vulnerabilities

  THREAT HUNTER (GUARD YOUR DEVICE)

Vulnerability News #0004

January 25, 2022




Name News : CentOS Vulnerabilities

Affected System : CentOS Web Panel (CWP)

Vulnerability Involved : CVE-2021-45467, CVE-2021-45466

News Detail


A security researcher linked two vulnerabilities in CentOS Web Panel (CWP), a prominent web hosting platform, to accomplish pre-authenticated remote command execution (RCE) as root. Researchers were able to do RCE by employing a null byte-powered file inclusion payload to add a malicious API key, then using that API key to write to a file, and then include that file by exploiting the file inclusion bug. CWP, a free-to-use, Linux control panel, is in active use by more than 200,000 servers. However, fooling PHP into thinking there were no consecutive dots (..) proved fruitful, with fuzzing revealing a bypass – /. percent 00./ – for the LFI check (CVE-2021-45467). Most [of] PHP's functions in CWP (including the require() and include() routines) appear to process /. percent 00./ as /../ — thus, while stristr() ignores the null bytes, it still counts their size, bypassing the check. The file inclusion bug forced the server to register whatever API key he wanted, allowing him to write to.txt files. (CVE-2021-45466). By simply inserting more null bytes, the researcher was able to get around an initial remedy for the file inclusion flaw, which attempted to determine if a null byte was sandwiched between dots. According to the researcher, reversals of this patch looked to have been used to exploit some servers. The CWP maintainers released a new patch "in their latest version with a better technique to identify and erase null bytes: $text = str replace(chr(0), ", $text);,". Reddit users have reported issues with replication. So far, it appears that the security problems are CWP-specific.

Suggestion

Migrate to the latest version (https://www.youtube.com/watch?v=ibe66aUtThs)

Imprint

  • Allows a bad actor to access restricted API endpoints, it can be used in conjunction with an arbitrary file write vulnerability.

  • An attacker can alter the include statement, which is used to include the content of one PHP file into another PHP file, to inject malicious code from a remote resource and achieve code execution.

  • Allow the actor to gain full remote code execution on the server.


References:

https://portswigger.net/daily-swig/rce-bug-chain-patched-in-centos-web-panel
https://www.centralmarkets.info/rce-bug-chain-patched-in-centos-net-panel/.html

© SAS Threat Hunter 

Direct to sasmoza.enterprise Sdn. Bhd for Subscribing News

Comments

Post a Comment

Popular Posts