RCE and privesc on safe user

[esp0xdeadbeef]

We were RCE hunting on live stream, sorry for the poc.
https://github.com/esp0xdeadbeef/rce_webmin
https://www.twitch.tv/videos/1483029790

Please patch.

[jcameron]

Thanks, this does look like an issue that can be exploited if the admin has created a less-privileged user manually without using Virtualmin or Cloudmin.

@iliajie this seems to be an Authentic theme-specific bug. The problem is that the code in settings-editor_write.cgi just takes the file parameter as input without doing any validation that it's one of the legit paths established in settings-editor_read.cgi . This is unsafe .. we can NEVER trust any URL parameter ever!

Also, the code in settings-editor_write.cgi that checks get_user_level won't handle the case where the user was created manually in Webmin and just granted limited access to some modules.

[chris001]

Thank you 😃 for finding this @esp0xdeadbeef ! 🥂 🐮
Please 🙏 continue, find more! 👍 🖥️

[esp0xdeadbeef]

We requested a CVE for this vulnerability this is the reference, 1267786.
Could you acknowledge this?

[jcameron]

Thanks for the CVE!

[chris001]

Is this the form that the CVE reference should be entered into?:
https://docs.github.com/en/code-security/repository-security-advisories/creating-a-repository-security-advisory

[honphilemon]

Those any one have an idea, how this can be use to customize a nuclei template for recon??

[chris001]

how this can be use to customize a nuclei template for recon??

https://github.com/projectdiscovery/nuclei#usage

[honphilemon]

Ok noted. Please enlighten me what would be the http method and the path??
Thanks

[chris001]

https://github.com/projectdiscovery/nuclei-templates/search?q=webmin

[chris001]

The python proof of concept code has full details on the http method and path.
However, you should probably just try to detect webmin, and the version number of webmin, and if the version number is within the range of versions which has this vulnerability, then you got a positive hit, you found one!

[chris001]

You can use this one to find webmin admin login pages, but to really find a vulnerable version, you'd have to do more.
Since webmin doesn't expose its version number on the admin panel login page, AND this vuln requires the webmin admin to create a normal non-privileged user account for you, you'd either need to find a creative way to obtain the version number such as, fingerprint the exposed accessible unauthenticated public html pages and css and font library versions, compare to which versions were distributed with the vulnerable versions of webmin, to get a good guess at which version of webmin this is. It might not be a perfect method, but it's 99% close enough and as good as you could do without further communication with the admin of that webmin server to check the actual webmin version number it's running. This is how I'd do it.

[chris001]

FYI, they assigned number CVE-2022-30708 !
https://cve.report/CVE-2022-30708
https://nvd.nist.gov/vuln/detail/CVE-2022-30708
https://www.cve.org/CVERecord?id=CVE-2022-30708

[esp0xdeadbeef]

Thank you so much @chris001.