FallingSkies Exploit enables CloudPanel v2.0.0 – v2.3.0 threat vectors to gain access into file-manager by sending encrypted clp-fm cookie which use default secret key.
Affected Component Full Path : file-manager
Author / Security Researcher: Muhammad Aizat (@Etharus) Co-Author: Mohamad Zulfahmy (@mzulfahmy) Co-Author: Farhan Phakhruddin (@farpha) Company: Datack Sdn Bhd CVE ID: CVE-2023-35885 CVE Severity: 9.8 [CRITICAL] Tested Version: v2.0.0 - v2.3.0 Patched Version: v2.3.1 Vendor homepage: https://www.cloudpanel.io/ Product: CloudPanel Github: https://github.com/datackmy/FallingSkies-CVE-2023-35885
What is CloudPanel?
Speaking Overalls Here – Overview
In this vulnerability we have here, the Root-Cause-Analysis(RCA) have confirmed that it originated from the usage of default secret keys and default user as “clp“. It begins in the file manager in CloudPanel that have no session authentication resulted in a broken access control when the cookie clp-fm encrypted value is inserted with the default secret key. The decrypted cookie value is in a form of a serialize string which attacker could change the user value into default clp user. With the added PHP Object Injection this becomes a heavier matter in terms of impact.
The successful bypass into file-manager leads to a higher degree of impact whereby attacker can insert and upload a malicious file into CloudPanel main directory. By default, user “clp” have sudo nopasswd to all, so the privilege escalation involve in this vulnerability.
Ride The Waves With Me – Technical Flow
Note : This is section shows some snippets from component named /home/clp/htdocs/app/files/public/file-manager/backend.php
As the picture above, it shows the flow of how the component receives the encrypted clp-fm cookie value.
Then, we see the value are then will be deserialize. *Note* here, the successfully decrypted cookie also leads to another vulnerability which attacker could abuse the serialization string in order to gain further post-exploitation opportunities (more hejes thingies). This includes and not limited to Remote Code Execution, Local Files Disclosures – so on and so forth.
The deserialized value, are then called as an Object in this case – the user value to pass into the variable $user.
This Part, is where the magic happens – Broken Access. Whereby it only needs the “clp-fm” cookie to authenticate it in order to proceed into the file-manager. The successfully decrypted cookie will pass the process into the backend to gain unrestricted access to the file-manager. From that point the attack escalates into a more serious threat by leveraging the feature to get user clp(r00t access). Attack on CLP!
ps: pun intended
Picture above – is the successfully decrypted “clp-fm” cookie, where it contains a variable whereby the user can put any username in the server. We chose “clp” because intrinsically by default. The user “clp” has sudo permission in order to gain r00t.
Banging The Door(s)? – POC
You Can Find The Python Code : Here
After all the flow are figured out, we constructed the exploit script to be completely automated for this vulnerability. Picture above is the example of successfully completed and automated python script.
The webshell we successfully upload into the server post exploitation
SSH login after exploitation which the user we inject into /etc/passwd with sudo privileges.
01-06-2023 – Exploit Found
12-06-2023 – Privately disclose to vendor
13-06-2023 – Submitted to CVE assignee
19-06-2023 – CVE number assigned by MITRE
20-06-2023 – Patch released by the vendor (v2.3.1)
20-07-2023 – Exploit released to the public