SSD Advisory – aaPanel CSWH to RCE
Find out how a CSWH hijacking vulnerability in aaPanel allows remote attackers to cause an authenticated user to execute arbitrary commands inside aaPanel’s managed servers.
aaPanel, a simple but powerful control panel, can manage the web server through web-based GUI(Graphical User Interface).
aaPanel provides “the one-click function such as one-click install LNMP/LAMP developing environment and software. Our main goal is helping users to save the time of deploying, thus users just focus on their own project that is fine”.
If an unsuspecting victim visits an attacker site, while being logged on to aaPanel, an attacker can cause his browser to access aaPanel managed servers and run commands on them without his knowledge.
An independent security researcher has reported this vulnerability to the SSD Secure Disclosure program.
aaPanel LinuxStable 6.8.12
We have reported the vulnerability in aaPanel’s github repository and have not received any response.
aaPanel allows web based SSH connection to be put in place, these SSH connections are communicated with via websockets. aaPanel has been found to not perform any origin validation when initialising a SSH connection from client to the server. Hence, it is possible to perform a cross-site websocket hijacking attack which can result in remote code execution (on the managed instance).
Requirements (to exploit)
- Knowledge of the IP/FQDN of the aaPanel
- Victim has to visit a malicious web site with Firefox (the vulnerability doesn’t work with Chrome)
- Victim has to have configured
Terminalwith at least one managed instance
- Victim has to have been logged on to the aaPanel prior to have visited the malicious web site