Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RCE and privesc on safe user #1635

Closed
esp0xdeadbeef opened this issue May 14, 2022 · 17 comments
Closed

RCE and privesc on safe user #1635

esp0xdeadbeef opened this issue May 14, 2022 · 17 comments

Comments

@esp0xdeadbeef
Copy link

We were RCE hunting on live stream, sorry for the poc.
https://github.com/esp0xdeadbeef/rce_webmin
https://www.twitch.tv/videos/1483029790

Please patch.

@jcameron
Copy link
Collaborator

Thanks, this does look like an issue that can be exploited if the admin has created a less-privileged user manually without using Virtualmin or Cloudmin.

@iliajie this seems to be an Authentic theme-specific bug. The problem is that the code in settings-editor_write.cgi just takes the file parameter as input without doing any validation that it's one of the legit paths established in settings-editor_read.cgi . This is unsafe .. we can NEVER trust any URL parameter ever!

Also, the code in settings-editor_write.cgi that checks get_user_level won't handle the case where the user was created manually in Webmin and just granted limited access to some modules.

@chris001
Copy link

Thank you 😃 for finding this @esp0xdeadbeef ! 🥂 🐮
Please 🙏 continue, find more! 👍 🖥️

@esp0xdeadbeef
Copy link
Author

We requested a CVE for this vulnerability this is the reference, 1267786.
Could you acknowledge this?

@jcameron
Copy link
Collaborator

Thanks for the CVE!

@chris001
Copy link

Is this the form that the CVE reference should be entered into?:
https://docs.github.com/en/code-security/repository-security-advisories/creating-a-repository-security-advisory

iliajie added a commit to webmin/authentic-theme that referenced this issue May 14, 2022
@honphilemon
Copy link

Those any one have an idea, how this can be use to customize a nuclei template for recon??

@chris001
Copy link

how this can be use to customize a nuclei template for recon??

https://github.com/projectdiscovery/nuclei#usage

@honphilemon
Copy link

Ok noted. Please enlighten me what would be the http method and the path??
Thanks

@chris001
Copy link

chris001 commented May 16, 2022

@chris001
Copy link

The python proof of concept code has full details on the http method and path.
However, you should probably just try to detect webmin, and the version number of webmin, and if the version number is within the range of versions which has this vulnerability, then you got a positive hit, you found one!

@chris001
Copy link

You can use this one to find webmin admin login pages, but to really find a vulnerable version, you'd have to do more.
Since webmin doesn't expose its version number on the admin panel login page, AND this vuln requires the webmin admin to create a normal non-privileged user account for you, you'd either need to find a creative way to obtain the version number such as, fingerprint the exposed accessible unauthenticated public html pages and css and font library versions, compare to which versions were distributed with the vulnerable versions of webmin, to get a good guess at which version of webmin this is. It might not be a perfect method, but it's 99% close enough and as good as you could do without further communication with the admin of that webmin server to check the actual webmin version number it's running. This is how I'd do it.

@chris001
Copy link

FYI, they assigned number CVE-2022-30708 !
https://cve.report/CVE-2022-30708
https://nvd.nist.gov/vuln/detail/CVE-2022-30708
https://www.cve.org/CVERecord?id=CVE-2022-30708

@esp0xdeadbeef
Copy link
Author

Thank you so much @chris001.

@iliajie
Copy link
Collaborator

iliajie commented May 20, 2022

@iliajie this seems to be an Authentic theme-specific bug. The problem is that the code in settings-editor_write.cgi just takes the file parameter as input without doing any validation that it's one of the legit paths established in settings-editor_read.cgi .

Jamie, this is true, and design wise we must always treat any user input as un-safe. Although, it was assumed that a file name coming from root capable user is always safe. The real problem is that the validation to test whether a user is root capable or not failed, as the theme didn't use Webmin API before to test that.

@esp0xdeadbeef Thank you for finding this bug! For the future findings (if any), it would be preferable, if you could first contact us privately, using security@webmin.com and give us some time to fix the bug and release a new update. Luckily this bug is specific to a Webmin safe user, which isn't part of default configuration and must be setup first.

@iliajie iliajie closed this as completed May 20, 2022
@jcameron
Copy link
Collaborator

We are releasing a new version of Webmin now that includes a fix for this issue.

@esp0xdeadbeef how would you like to be credited for this fix?

@esp0xdeadbeef
Copy link
Author

Hi @jcameron,
Thanks for all the work, but we didn't fix the vulnerability.
Could we get the creds for finding this issue with @V1s3r1on and me?

@jcameron
Copy link
Collaborator

jcameron commented May 24, 2022

Sure, I will give you both credit for the find!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants