[ad_1]
This post offers details on the Control Web Panel Vulnerability, CVE-2022-44877, which is actively being exploited in the wild.
If you are using Control Web Panel in any version below 0.9.8.1147, make sure to patch as soon as possible.
While CVE-2022-44877, a critical vulnerability affecting Control Web Panel (a popular free, closed-source, web-hosting interface), has received an official patch on October 25th 2022, evidence of active exploitation of the vulnerability are starting to accumulate.
Over the last week, starting January 6th, adversaries appear to be scanning for unpatched instances running Control Web Panel (CWP) as well as actively attempting to exploit them.
Currently, according to threat intelligence platform GreyNoise, there are at least four different IP addresses actively targeting the vulnerability.
Image: greynoise.io
This came soon after the release of Proof of Concept (PoC) exploit code published on Github by security researcher Numan Türle on January 5th.
The Vulnerability: CVE-2022-44877
CVE-2022-44877, is a remote code execution vulnerability that stems from a single line of code in the /login/index.php file which allows unauthenticated attackers to execute code on the machine running the Control Web Panel.
The problematic line uses the following structure in order to log errors:
echo “incorrect entry, IP address, HTTP_REQUEST_URI”
The fact that the logging functionality relies on bash (via the echo command), and the HTTP_REQUEST_URI parameter is user controlled, allows an attacker to take advantage of a built in bash feature called Command Substitution by crafting a “malicous” HTTP request containing system commands.
How does it work?
Command substitution, according to the bash man pages, allows executing commands using the following syntax: $(<COMMAND TO EXECUTE>)
Hence, all an attacker has to do in order to take advantage of this built-in bash functionality is simply to send a request such as:
POST…
..
[ad_2]
