Web versions

Fixed RCE bug chain in Control Web Panel

Adam Bannister January 24, 2022 at 15:30 UTC

Updated: Feb 14, 2022 5:09 PM UTC

Shell injected into servers via bypassing local file inclusion defenses

UPDATE A security researcher has chained together a pair of vulnerabilities in popular web hosting platform Control Web Panel (CWP) to achieve pre-authenticated remote command execution (RCE) as root.

Paulos Yibelo achieved RCE by using a null-byte powered file include payload to add a malicious API key, exploiting that API key to write to a file, then including that file by abusing the include bug of file.

CWP, a free Linux control panel formerly known as CentOS Web Panel, is actively used by more than 200,000 servers, according to Yibelo.

Bypassing stristr()

The researcher’s first key discovery was how two unauthenticated PHP pages, /user/loader.php and /user/index.php, deployed local file inclusion (LFI) protection which, when the ‘ scripts’ contained ‘..’, blocked processing. of the input and instead displayed “hacking attempt” to the user.

This output, from the function, contained . Yibelo solved a workaround, which searches for the first occurrence of a string inside another string.

He first sought to trick PHP into treating non-dot characters as ‘.’, but this failed on the fact that PHP didn’t normalize any of its characters to dots.

Then the researcher came up with the idea of ​​circumventing , a case-insensitive alternative to , by finding single characters that the C language, in which PHP is written, treats as a period when lowercased.

Learn about the latest security research news

This route “did not yield any useful results, but we found some weird and bizarre behavior worthy of future posts,” reads one. blog post published by Yibelo for Octagon Networks, a team of researchers he recently co-founded.

Join the dots

Making PHP believe that no consecutive dot (..) was present proved successful, however, with fuzzing causing a workaround – /.%00./ – to appear for the LFI check (CVE-2021-45467 ).

“More [of] PHP’s functions in CWP (including the and functions) seem to treat /.%00./ like /../ – the same way, while ignoring null bytes, it still counts its size in order to bypass the check” , he explained.

The file include bug meant he could send a request that forced the server to register any API key he wanted, allowing him to write to .txt files. (CVE-2021-45466).

The resulting RCE chain is visualized in this youtube video.


Yibelo worked around an initial fix for the file include bug, which attempted to detect if a null byte was sandwiched between dots, by simply adding more null bytes.

The researcher said some servers appear to have been exploited through reversals of this patch.

Yibelo said The daily sip that the maintainers of the CWP deployed another patch “in their latest version with a better way to find and remove null bytes: .”

CWP officials said The daily sip: “This was fixed in some older versions a few months ago, but we recently enhanced it in version to remove these files as they are old and haven’t been used for over two years.

“As always, automatic updates resolve all issues, so updating the server will be fully resolved.”

They added that “CWP only works for six months without an update, and this allows us to disable CWP on non-updated servers for six months so they are not compromised”.

Replication issues were reported on Reddit. Yibelo said that, so far, the security issues appear to be CWP-specific.

The researcher said he would release a full proof of concept “once enough servers have migrated to the latest version.”

This article was updated on January 31 with feedback from CWP maintainers, and then February 14 to reflect that the product in question is now called Control Web Panel and no longer, as previously reported, CentOS Web Panel

RELATED Chain of vulnerabilities leads to RCE on Cisco Prime servers