Share
## https://sploitus.com/exploit?id=610DF7B9-E78C-5D72-922B-B3C3C2564A47
# CVE-2024-53376
CyberPanel Authenticated OS Command Injection

### Affected Devices
CyberPanel versions < 2.3.8 are vulnerable to an OS command injection. To exploit the vulnerability the attacker is required to firstly login to the webpanel. 

### Tested With
CyberPanel 2.3.7

### Technical details

An attacker can use a HTTP OPTIONS request to instruct the webserver running the CyberPanel application to execute arbitrary commands. This vulnerability lies in the /websites/submitWebsiteCreation endpoint.

This endpoint calls the submitWebsiteCreation function in the /websiteFunctions/views.py file location. 

<p align="center"> <img src="https://github.com/ThottySploity/CVE-2024-53376/blob/main/images/submitWebsiteCreation_views.png" alt="Toplevel function" /> </p>

This function further calls the `wm.submitWebsiteCreation` function found in the /websiteFunctions/website.py file. This function extracts five parameters which are used within the function:
    - domain;
    - adminEmail;
    - phpSelection;
    - packageName;
    - websiteOwner;

<p align="center"> <img src="https://github.com/ThottySploity/CVE-2024-53376/blob/main/images/submitWebsiteCreation_part1.png" alt="Toplevel function" /> </p>

These parameters are later parsed directly to a function that executes these:

<p align="center"> <img src="https://github.com/ThottySploity/CVE-2024-53376/blob/main/images/submitWebsiteCreation_part2.png" alt="Toplevel function" /> </p>

The Proof-of-Concept (PoC) code can be found in the cyberpanel.py file that is linked in this repo.

### PoC

This Proof-of-Concept can be used to write files with root level permissions, anywhere on the system:

<p align="center"> <img src="https://github.com/ThottySploity/CVE-2024-53376/blob/main/images/writing_into_root.png" alt="Toplevel function" /> </p>

This could result in a complete device compromise. If the device's CyberPanel installation folder is accessible, data can be more easily extracted through the web panel.

### Writeup 

The writeup which outlines the discovery process of the exploit will become available at: https://thottysploity.github.io/posts/cve-2024-53376

### Timeline

30.10.2024 - Identified vulnerability  
31.10.2024 - Contacted Usman Nasir, owner of CyberPanel  
02.11.2024 - Usman fixed the issue and published a fix  
03.11.2024 - Requested CVE-ID from MITRE  
23.11.2024 - MITRE reserved CVE-ID 2024-53376  
15.12.2024 - CVE-2024-53376 published to the public