Category:
Vulnerability Intelligence |
Vulnerability Class:
Remote Code Execution |
CVE ID:
CVE-2022-44877 |
CVSS:3.0 Score:
NA(Not Assigned) |
---|
THREAT | IMPACT | MITIGATION |
---|---|---|
|
|
|
CloudSEK’s Threat Research team conducted an investigation to understand the technical details of CVE-2022-44877, and the internet-wide exploitation of CentOS Web Panel 7 installations.
Through the course of our research, we discovered that post-exploitation, an attacker can execute commands remotely at the same privilege level the CentOS Web Panel is installed. In multiple cases, it was identified that the default privilege to host the installation was ‘root’ which is equivalent to the ‘Administrator’ privilege on Windows.
A security researcher released the POC on github and a POC video on Youtube on 5th Jan 2023 after getting assurance from the Centos team that a sufficient number of servers were patched.
Upon analysis of the shared exploit code, it was identified that the flaw resided in the functionality which logged incorrect entries on the panel. Following is a sample code snippet responsible for writing content in the filename “wrong_entry.log”
echo “incorrect_entry, IP address, HTTP_request_URI” >> ./wrong_entry.log |
---|
The double quotes in the above command are responsible for this misconfiguration, as this is a bash feature that helps execute a command. Since the HTTP_request_URI is attacker-controlled, a Threat Actor can insert a command that gets executed on the server.
When the above command is executed we get a connection back to the listener shell.
There are multiple vulnerable servers in the wild and threat actors have started exploiting them using the below-mentioned exploit payload.
Understanding the Payload
The Centos Web Panel 7 is a widely used server management tool. A Shodan query for it results in ~436,000 servers which could be potentially vulnerable to the Remote code execution vulnerability.
The same pattern can also be observed from other search engines like Censys.
A high impact vulnerability that is also easily exploitable, is a prime target for threat actors. And given that the POC is now public, it makes the threat actors’ job that much easier. Hence we recommend that users update to the latest version, v0.9.8.1148.