Researchers has disclosed details of two critical security flaws in open source Linux Control Web Panel that potentially expose Linux servers to remote code execution attacks.
An attacker could chain the vulnerabilities to achieve pre-authenticated remote code execution on vulnerable Linux servers.
The first issue, tracked as CVE-2021-45467, is a file inclusion vulnerability that occurs when a web application is tricked into exposing or running arbitrary files on the webserver.
Experts focused their analysis on vulnerabilities that can be exploited by unauthenticated users or through zero-click attacks, they tested sections of the panel that are exposed without authentication in the webroot, including /user/loader.php and /user/index.php.
Researchers discovered that several PHP’s functions seem to process /.%00./ as /../. Protections implemented in the application don’t allow to switch to a parent directory (using “..”) but they allow the PHP interpreter to accept a specially crafted string such as “.$00.” that allows bypassing any restriction,
The stristr() ignores the null bytes, it still counts its size so it bypasses the check. This means that it is possible to include any file on the server, if an attacker finds a way to write to a file, it can get preauth RCE.
Despite unix file r/w locking settings in CWP, an attacker can exploit the file inclusion bug to reach the restricted API section, which requires API key to access and is not exposed in the webroot.
Chaining this flaw with an arbitrary file writes vulnerability such as the CVE-2021-45466 flaw, an attacker can gain full remote code execution on the server.
The CWP maintainers have already addressed the flaw with security updates released this month.