About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CVE-2021-45467: CWP CentOS Web Panel - preauth RCE- 1943

pwn.aiPosted 1 Day Ago
  • While reviewing CentOS Web Panel (CWP), they noticed an interesting protection for local file inclusion.
    PHP
    function GETSecurity($variable)
{
  if (stristr($variable, ".." ) {
     exit("hacking attempt");
  }
}
  • Why was this interesting to them? stristr() is a substring function that isn't case sensitive. They had a few ideas for circumventing this check... First, have it treat other characters as dots but this yielded nothing.
  • Second, was finding characters that the C PHP processor would treat as dots when lower-cased. They reviewed the underlying C code to see that any inputs was converted to lowercase, and then the comparison was performed. The main idea was that the check and the use were slightly different but this didn't yield any results.
  • The final idea was tricking CWP into thinking that dots were NOT being used at all. After some fuzzing, they came to the payload /.%00./. The string comparison saw one thing but the routing saw another. stristr effectively ignores null bytes but they were not sure why this happened.
  • This vulnerability gave them a local file inclusion vulnerability. They reported this to ZDI and patched. Overall, a good bug! I appreciated the thought process of why they targeted this specific section of code, including the failures.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed