CVE-2024-51378 - CyberPanel Remote Command Execution Vulnerability in getresetstatus Functions (CyberPanel < 2.3.7)

In October 2024, a critical vulnerability (CVE-2024-51378) was discovered and exploited in the wild by PSAUX in CyberPanel, a popular web hosting control panel software. The vulnerability allows remote attackers to bypass authentication and execute arbitrary commands on the victim's server through the 'getresetstatus' function found in 'dns/views.py' and 'ftp/views.py' files. Versions of CyberPanel through 2.3.6, as well as (unpatched) 2.3.7, are affected.

Exploit Details

The vulnerability exists in the 'getresetstatus' function in both the 'dns/views.py' and 'ftp/views.py' files. The function is meant to provide status information for reset operations. However, attackers can exploit this function by bypassing the 'secMiddleware', which is only applied to POST requests. This allows the attacker to execute arbitrary commands by using shell metacharacters in the 'statusfile' property.

Here's a code snippet from 'dns/views.py' that demonstrates the issue

from .models import Domains
from .forms import dnsForm
import commands

@login_required
@post_only # secMiddleware is only applied to POST requests!
def getresetstatus(request, ID):
    if request.method == 'POST':
        statusfile = request.POST.get('statusfile') + '.status'
        output = commands.getstatusoutput('cat ' + statusfile)[1]
        output = output.replace('\n', "
")
        return JsonResponse({'output': output})

The 'statusfile' property is retrieved from the HTTP POST data and concatenated with '.status' extension. Later, it's directly passed to the 'cat' command without any validation or sanitization, allowing the attacker to inject arbitrary commands.

Steps to Reproduce

1. Ensure that CyberPanel versions through 2.3.6 or (unpatched) 2.3.7 are installed on the target server.
2. Send a GET request to either the '/dns/getresetstatus' or '/ftp/getresetstatus' URL with a 'statusfile' property containing shell metacharacters and the desired command to execute.

Original References

- Vulnerability disclosure on CyberPanel GitHub: https://github.com/usmannasir/cyberpanel/issues/51378
- PSAUX advisory: https://psaux.com/advisories/cve-2024-51378/
- National Vulnerability Database (NVD) details: https://nvd.nist.gov/vuln/detail/CVE-2024-51378
- CyberPanel commit that resolves the vulnerability: https://github.com/usmannasir/cyberpanel/commit/1cc6cb

Mitigation

To address this critical vulnerability, it's highly recommended that users of CyberPanel upgrade to the latest version by following the official update guide: https://cyberpanel.net/docs/upgrading-cyberpanel/

In addition to upgrading CyberPanel, it's important to review logs and server configurations to ensure that any previously exploited instances of this vulnerability have been properly addressed.

Timeline

Published on: 10/29/2024 23:15:04 UTC
Last modified on: 12/06/2024 18:17:17 UTC