Headline
Exploit drops for remote code execution bug in Control Web Panel
Vendor patched the vulnerability in October after a red team alert
Adam Bannister 06 January 2023 at 15:40 UTC
Vendor patched the vulnerability in October after a red team alert
A pre-authentication remote code execution (RCE) exploit has landed for popular web hosting platform Control Web Panel (CWP).
The corresponding vulnerability in CWP 7 was patched and then released in version 0.9.8.1147 on October 25. All previous versions are affected.
CWP, formerly CentOS Web Panel, is a free-to-use, Linux control panel with roughly 200,000 servers in active use.
DON’T MISS Tell us what you think of The Daily Swig to be in with a chance of winning Burp Suite swag
The Proof of Concept (PoC) was posted to GitHub and YouTube yesterday (January 5) by Numan Türle, security engineer at Turkish infosec outfit Gais Security.
Türle told The Daily Swig that he disclosed technical details and requested a CVE after receiving assurances that a sufficient number of servers had been updated to the patched version.
The flaw has now been designated as CVE-2022-44877 with a CVSS severity rating still pending.
Double quotes problem
The flaw resides in the component and allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.
According to Türle, it resulted from CWP using the following structure to log incorrect entries:
“Since the request URI comes from the user, and as you can see it is within double quotes, it is possible to run commands such as , which is a bash feature,” he said.
“They have made the request URI into , but double quotes are interpreted on the bash side. It is actually just a problem with double quotes. It was a small problem but could be very annoying.”
Timeline
Türle said the bug emerged from zero-day research undertaken on third-party applications used by customers of Gais Security.
“We discovered this vulnerability in July 2022 and closed the ports by first notifying our customers,” he said.
CWP was notified and remediation began on July 30. “Since it was a busy period, we sent the full report to the CWP team on 22.10.2022. The CWP team submitted a special version within two days and we confirmed that we were able to reproduce the vulnerability and submitted a new report.”
Türle praised CWP’s security team for a “very fast fix”.
“While vulnerabilities that I have previously communicated to other companies can take almost one to three months, the CWP team closed the vulnerability in two days,” he added.
The Daily Swig has contacted CWP for comment and will update this article accordingly if they do so.
YOU MAY ALSO LIKE Tesla tackles CORS misconfigurations that left internal networks vulnerable
Related news
Control Web Panel versions prior to 0.9.8.1147 are vulnerable to unauthenticated OS command injection. Successful exploitation results in code execution as the root user. The results of the command are not contained within the HTTP response and the request will block while the command is running.
Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers. Tracked as CVE-2022-44877 (CVSS score: 9.8), the bug impacts all versions of the software before 0.9.8.1147 and was patched by its maintainers on October 25, 2022. Control
Control Web Panel 7 versions prior to 0.9.8.1147 suffer from an unauthenticated remote code execution vulnerability.
RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.