Exploit drops for remote code execution bug in Control Web Panel (CWP)

guest · Jan 12, 2023

Vendor patched the vulnerability in October after a red team alert
By Adam Bannister @Ad_Nauseum74 - January 6, 2023

A pre-authentication remote code execution (RCE) exploit has landed for popular web hosting platform Control Web Panel (CWP).
Click to expand...

The corresponding vulnerability in CWP 7 was patched and then released in version 0.9.8.1147 on October 25. All previous versions are affected.

CWP, formerly CentOS Web Panel, is a free-to-use, Linux control panel with roughly 200,000 servers in active use.
Click to expand...

The Proof of Concept (PoC) was posted to GitHub and YouTube yesterday (January 5) by Numan Türle, security engineer at Turkish infosec outfit Gais Security.
The flaw has now been designated as CVE-2022-44877 with a CVSS severity rating still pending.
Double quotes problem
The flaw resides in the /login/index.php component and allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.
Click to expand...

guest · Jan 12, 2023

Vulnerability with 9.8 severity in Control Web Panel is under active exploit
By Dan Goodin @dangoodin@infosec.exchange - January 13, 2023

Malicious hackers have begun exploiting a critical vulnerability in unpatched versions of the Control Web Panel, a widely used interface for web hosting.

“This is an unauthenticated RCE,” members of the Shadowserver group wrote on Twitter, using the abbreviation for remote code exploit. “Exploitation is trivial and a PoC published.” PoC refers to a proof-of-concept code that exploits the vulnerability.
The vulnerability is tracked as CVE-2022-44877. It was discovered by Numan Türle of Gais Cyber Security and patched in October in version 0.9.8.1147. Advisories didn’t go public until earlier this month, however, making it likely some users still aren’t aware of the threat.
Click to expand...

Figures provided by Security firm GreyNoise show that attacks began on January 7 and have slowly ticked up since then, with the most recent round continuing through Wednesday. The company said the exploits are coming from four separate IP addresses located in the US, Netherlands, and Thailand.

The severity rating for CVE-2022-44877 is 9.8 out of a possible 10. “Bash commands can be run because double quotes are used to log incorrect entries to the system,” the advisory for the vulnerability stated. As a result, unauthenticated hackers can execute malicious commands during the login process. The following video demonstrates the flow of the exploit.
Click to expand...

Shadowserver shows that there are roughly 38,000 IP addresses running Control Web Panel, with the highest concentration in Europe, followed by North America, and Asia.

Given the ease and severity of exploitation and the availability of working exploit code, organizations using Control Web Panel should ensure they’re running version 0.9.8.1147 or higher.
Click to expand...

Log in or Sign up

Exploit drops for remote code execution bug in Control Web Panel (CWP)

guest Guest

guest Guest

Log in or Sign up

Exploit drops for remote code execution bug in Control Web Panel (CWP)

guest Guest

guest Guest

Useful Searches