aaPanel 6.6.6 - Authenticated Privilege Escalation

vendor:

aaPanel

by:

Ünsal Furkan Harani (Zemarkhos)

7.2

CVSS

HIGH

Remote Code Execution

269

CWE

Product Name: aaPanel

Affected Version From: 6.6.6

Affected Version To: 6.6.6

Patch Exists: YES

Related CWE: CVE-2020-14421

CPE: aapanel:aapanel

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux ubuntu 4.4.0-131-generic #157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

2020

aaPanel 6.6.6 – Authenticated Privilege Escalation

If a user is logged in as an admin, they can go to the crontab, select shell script and paste a reverse shell code, click execute button and gain root privileges because crontab.py runs with root privileges.

Mitigation:

Ensure that the aaPanel software is up to date and that all users are using strong passwords.

Source

Exploit-DB raw data:

# Exploit Title: [aaPanel 6.6.6 - Authenticated Privilege Escalation]
# Google Dork: []
# Date: [04.05.2020]
# Exploit Author: [Ünsal Furkan Harani (Zemarkhos)]
# Vendor Homepage: [https://www.aapanel.com/](https://www.aapanel.com/)
# Software Link: [https://github.com/aaPanel/aaPanel](https://github.com/aaPanel/aaPanel)
# Version: [6.6.6] (REQUIRED)
# Tested on: [Linux ubuntu 4.4.0-131-generic #157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux]
# CVE : [CVE-2020-14421]

if you are logged was admin;

1- go to the crontab

2- select shell script and paste your reverse shell code

3- click execute button and you are now root.

because crontab.py running with root privileges.

Remote Code Execution

https://github.com/jenaye/aapanel