The content of the article
Webmin is completely written in Perl, without the use of non-standard modules. It consists of a simple web server and several scripts – they connect the commands that ensure the execution of the commands that the user gives in the web interface, at the level of the operating system and external programs. Through the web admin panel, you can create new user accounts, mailboxes, change the settings of services and various services and all that sort of thing.
The vulnerability is in the password recovery module. Manipulating a parameter
old in the script
password_change.cgi, the attacker can execute arbitrary code on the target system with superuser rights, which leads to thoughts about the intentional nature of this bug. Even more suspicious – the problem is present only in ready-made builds of the distribution kit with SourceForge, but it is not in the source code on GitHub.
Vulnerability received identifier CVE-2019-15107.
To demonstrate the vulnerability, we need two versions of the Webmin distribution kit – 1.890 and 1.920, since the test environments for them are slightly different.
To do this, use two Docker containers.
$ docker run -it --rm -p10000:10000 --name=webminrce18 --hostname=webminrce18.vh debian /bin/bash$ docker run -it --rm -p20000:10000 --name=webminrce19 --hostname=webminrce19.vh debian /bin/bash
Now install the necessary dependencies.
$ apt-get update -y && apt install -y perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl nano wget python apt-show-versions
apt-show-versions I have a problem (in the screenshot below).
The following commands help resolve it:
$ apt-get purge -y apt-show-versions$ rm /var/lib/apt/lists/*lz4$ apt-get -o Acquire::GzipIndexes=false update -y$ apt install -y apt-show-versions
After that, download the appropriate distributions of distributions from SourceForge.
$ wget http://prdownloads.sourceforge.net/webadmin/webmin_1.890_all.deb$ wget http://prdownloads.sourceforge.net/webadmin/webmin_1.920_all.deb
And install them.
$ dpkg --install webmin_1.890_all.deb$ dpkg --install webmin_1.920_all.deb
Now run the Webmin daemons.
$ service webmin start
Version 1.890 is available on the default port of 10000, and 1.920 – at 20,000.
It remains only to set a password for the user
root using the command
passwdand the stands are ready. We turn to the details of the vulnerability.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru