Attackers actively exploit Unpatched Control Web Panel
Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in unpatched versions of the Control Web Panel, a popular free, closed-source web-hosting interface.
The vulnerability allows remote code execution without authentication and was patched in October after being discovered and reported by Gais Cyber Security researcher Numan Turle, who released the proof-of-concept exploit on January 3. GreyNoise and The Shadowserver Foundation then recorded active exploitation, with the latter noting initial exploitation on January 6.
While the critical vulnerability affecting Control Web Panel was officially patched on October 25th 2022, evidence of active exploitation is beginning to accumulate.
CVE-2022-44877 is a remote code execution vulnerability caused by a single line of code in the /login/index.php file, allowing unauthenticated attackers to execute code on the machine hosting the Control Web Panel.
In order to log errors, the problematic line employs the following structure: echo: “incorrect entry, IP address, HTTP REQUEST URI” is returned. According to the researchers, because the request URI comes from the user and is enclosed in double quotes, it is possible to run commands such as $(blabla), which is a bash feature.
Due to the fact that logging functionality is based on bash (via the echo command) and the HTTP REQUEST URI parameter is user controlled, an attacker can use a built-in bash feature called Command Substitution to craft a “malicious” HTTP request containing system commands.
In some attacks, the exploit is used to launch a reverse shell. Using the Python pty Module, the encoded payloads are converted to Python commands that call the attacker’s machine and spawn a terminal on the vulnerable host.
According to GreyNoise, at least four different IP addresses are currently actively targeting the vulnerability. Administrators are therefore urged to act quickly and update CWP to the most recent version available, currently 0.9.8.1148, which was released on December 1, 2022.
The sources for this piece include an article in BleepingComputer.