1Panel OS Command Injection Vulnerability in SSH Operation Function

A command injection vulnerability has been identified in 1Panel version 2.0.8. The issue arises in the OperateSSH function, where the operation parameter is sent to the /api/v2/hosts/ssh/operate endpoint. If the operation parameter is not properly validated, attackers could inject arbitrary commands. For instance, an injection like 'stop; id' could be executed as 'systemctl stop; id sshd', thereby executing the 'id' command on the system.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where 1Panel is running.

Reproduction

To reproduce this vulnerability, send a POST request to the /api/v2/hosts/ssh/operate endpoint with a JSON payload that includes an operation parameter. The value of the operation parameter should be crafted to include a command injection, such as 'restart; touch /tmp/pwned'. This will execute the injected command on the server.

Remediation

Users are advised to update to a version of 1Panel that addresses this vulnerability. Additionally, implement strict validation of the operation parameter to ensure that only expected values are accepted.