CtrlPanel Billing Software Remote Code Execution Vulnerability in Web Installer

A remote code execution vulnerability has been identified in CtrlPanel billing software for hosting providers, affecting versions through 1.1.1. The issue arises in the web-based installer, which is vulnerable to unauthenticated access. The vulnerability exists because the installer checks for the presence of an 'install.lock' file only after executing form handler files. This flaw allows attackers to interact with installer endpoints on already-installed instances. Additionally, the form handlers pass unsanitized user input directly into shell commands, enabling the execution of arbitrary commands on the server. The vulnerability is actively exploited in the wild.

Impact

Exploitation of this vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the server with the privileges of the web server process. This could lead to a full server compromise, including access to sensitive files and application secrets, lateral movement within the network, and the ability to establish persistence by planting backdoors or modifying application files.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'public/installer/index.php' endpoint with crafted input that exploits the unsanitized user input handling. This can be done by including a command injection payload in the 'key' field, which is then executed on the server via a shell command. The exploitation can be automated with a script that simulates the request, such as one written in Python using the 'requests' library.

Remediation

Users should update to CtrlPanel version 1.2.0, where this vulnerability has been fixed. Instructions for downloading the latest version are available on the CtrlPanel GitHub Releases page.