Control Web Panel Remote Code Execution

January 20, 2023

Control Web Panel(CWP) is a advanced Free and PRO web hosting panel that gives flexibility to effectively and efficiently manage your server and clients.
Control Web Panel 7 versions prior to suffer from an unauthenticated remote code execution vulnerability.

Remote Code Execution vulnerability
A remote code execution (RCE) vulnerability is a type of software vulnerability that allows an attacker to execute arbitrary code on a targeted system or device. This can be done by exploiting a flaw in the software or by injecting malicious code into the system via a network connection or other means. RCE vulnerabilities are considered to be particularly severe because they can allow an attacker to gain complete control over a targeted system or device.
Unauthenticated Remote Code Execution (RCE) is a type of vulnerability that allows an attacker to execute arbitrary code on a target system or device without the need for any authentication or authorization. This means that the attacker does not need to provide any valid credentials or have any previous access to the system in order to exploit the vulnerability.

Control Web Panel Remote Code Execution | CVE-2022-44877
Unauthenticated RCE exists in Control Web Panel.
login/index.php in Control Web Panel( or CentOS Web Panel) 7 before allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.

Following is an example of exploit :

Decoding base64 gives us following code :

The code is a command line that runs a Python script that creates a socket connection to an attacker controlled IP address and port number specified within the script. Once the connection is established, the script uses the os.dup2 function to redirect input, output, and error for the script to the socket.This allows the script to run a shell command, in this case “sh”, and receive input, output and error through the socket connection. The pty.spawn function is then used to spawn a new process in the connected shell.
The command “login=$(echo” is setting the variable “login” to the output of the command “echo”. Then, the Python script for creating a socket connection and spawning a shell is run. After that, the output of that command is piped to the command “base64 -d” which decodes the base64 encoded text, and then the final command “| bash” is used to execute the decoded output as a command in the bash shell.
Overall the attacker is trying to open a reverse shell connection to IP address and port specified in the Python script.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 18864:Control Web Panel 7 RCE

Control Web Panel has patched this vulnerability .

Threat Graph