RatPanel Remote Code Execution and Authentication Bypass Vulnerability

A remote code execution vulnerability has been identified in RatPanel versions 2.3.19 prior to 2.5.6. This vulnerability allows attackers to execute system commands or take control of hosts managed by the panel without logging in. The issue arises from the CleanPath middleware, which fails to properly process the URL path, leading to authentication bypass. As a result, unauthorized access to sensitive interfaces is granted.

Impact

Exploitation of this vulnerability allows for remote code execution and unauthorized access to the affected system.

Reproduction

To reproduce this vulnerability, first obtain the backend login path of RatPanel. This can be done through methods such as brute-force cracking or by exploiting weak default paths. Once the login path is known, activate a session by sending a request that includes the session cookie. After the session is activated, use the '_wsdump.py' script from the Python websocket-client library to authenticate and exploit the vulnerability via the WebSocket API.

Remediation

Users are advised to upgrade to RatPanel version 2.5.6, where this vulnerability has been patched.