All Threat Intelligence posts

POC for High Impact RCE Vulnerability in Centos Web Panel 7 (CVE-2022-44877) Increases Risk of Attacks

January 12, 2023
4
min read

 

Category:

Vulnerability Intelligence

 Vulnerability Class:

Remote Code Execution

 CVE ID:

CVE-2022-44877

 CVSS:3.0 Score:

NA(Not Assigned)

Executive Summary

THREAT IMPACT MITIGATION
  • A new remote command execution vulnerability was found in the web management portal of Centos(Control) web panel 7.
  • A threat actor can easily exploit the vulnerability with a crafted HTTP request.
  • The vulnerability can be leveraged to obtain a reverse shell and maintain persistence
  • A remote unauthenticated threat actor can perform ransomware attacks or exfiltrate data.
  • Update to the latest version as this affects Centos Web Panel 7 < v0.9.8.1147
  • The latest version – v0.9.8.1148

Investigation and Analysis

CloudSEK’s Threat Research team conducted an investigation to understand the technical details of CVE-2022-44877, and the internet-wide exploitation of CentOS Web Panel 7 installations.

Through the course of our research, we discovered that post-exploitation, an attacker can execute commands remotely at the same privilege level the CentOS Web Panel is installed. In multiple cases, it was identified that the default privilege to host the installation was ‘root’ which is equivalent to the ‘Administrator’ privilege on Windows.

Technical Analysis – Proof of Concept Code

A security researcher released the POC on github and a POC video on Youtube on 5th Jan 2023 after getting assurance from the Centos team that a sufficient number of servers were patched.

Upon analysis of the shared exploit code, it was identified that the flaw resided in the functionality which logged incorrect entries on the panel. Following is a sample code snippet responsible for writing content in the filename “wrong_entry.log

echo “incorrect_entry, IP address, HTTP_request_URI” >> ./wrong_entry.log

The double quotes in the above command are responsible for this misconfiguration, as this is a bash feature that helps execute a command. Since the HTTP_request_URI is attacker-controlled, a Threat Actor can insert a command that gets executed on the server.

When the above command is executed we get a connection back to the listener shell.

Illustration of 2 shells
Illustration of 2 shells

There are multiple vulnerable servers in the wild and threat actors have started exploiting them using the below-mentioned exploit payload.

The sample payload
The sample payload

 

Understanding the Payload

  • ping${IFS}-nc${IFS}2${IFS}222gmd8w98u9qwf7x5z7kw73quwlkd82.oastify.com can be simplified to ping -nc 2 222gmd8w98u9qwf7x5z7kw73quwlkd82.oastify.com
  • The ${IFS} is a bash variable to give one space character. This is used to bypass the blank space bad character check.
  • Hence, we are trying to get a pingback from the vulnerable server.
We get the following DNS interaction from the vulnerable server
We get the following DNS interaction from the vulnerable server

 

 

Information from OSINT – Exploitability & Presence

The Centos Web Panel 7 is a widely used server management tool. A Shodan query for it results in ~436,000 servers which could be potentially vulnerable to the Remote code execution vulnerability.

Shodan search query showing vulnerable servers
Shodan search query showing vulnerable servers

The same pattern can also be observed from other search engines like Censys.

Censys search query showing vulnerable servers
Censys search query showing vulnerable servers

Mitigation

A high impact vulnerability that is also easily exploitable, is a prime target for threat actors. And given that the POC is now public, it makes the threat actors’ job that much easier. Hence we recommend that users update to the latest version, v0.9.8.1148.

 

References

Tags:
No items found.