ASA-2019-00511 – Webmin: Unauthenticated Remote Code Execution

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00511

Identifier(s)

ASA-2019-00511, CVE-2019-15107

Title

Unauthenticated Remote Code Execution

Vendor(s)

The Webmin community

Product(s)

Webmin

Affected version(s)

Webmin versions 1.882 to 1.921

Fixed version(s)

Webmin version 1.930

Proof of concept

Yes

Description

Webmin releases contain a vulnerability that allows remote command execution. The parameter old in password_change.cgi contains a command injection vulnerability.

Technical details

The vulnerability is in the &unix_crypt crypt function that checks the passwd against the systems /etc/shadow file. By adding a simple pipe command (“|”) the attacker is able to exploit this to execute whatever code one wants.

149        # Read shadow file and find user
150        &lock_file($miniserv{'passwd_file'});
151        $lref = &read_file_lines($miniserv{'passwd_file'});
152        for($i=0; $i<@$lref; $i++) {
153            @line = split(/:/, $lref->[$i], -1);
154            local $u = $line[$miniserv{'passwd_uindex'}];
155            if ($u eq $in{'user'}) {
156                $idx = $i;
157                last;
158                }
159            }
160        defined($idx) || &pass_error($text{'password_euser'});
161
162        # Validate old password
163        &unix_crypt($in{'old'}, $line[$miniserv{'passwd_pindex'}]) eq
164            $line[$miniserv{'passwd_pindex'}] ||
165                &pass_error($text{'password_eold'});
166
167        # Make sure new password meets restrictions
168        if (&foreign_check("changepass")) {
169            &foreign_require("changepass", "changepass-lib.pl");
170            $err = &changepass::check_password($in{'new1'}, $in{'user'});
171            &pass_error($err) if ($err);
172            }
173        elsif (&foreign_check("useradmin")) {
174            &foreign_require("useradmin", "user-lib.pl");
175            $err = &useradmin::check_password_restrictions(
176                    $in{'new1'}, $in{'user'});

Credits

AkkuS

Reference(s)

Webmin 1.882 to 1.921 – Remote Command Execution
http://www.webmin.com/security.html

Webmin 0day remote code execution
https://blog.firosolutions.com/exploits/webmin/

Webmin 1.920 – Unauthenticated Remote Code Execution (Metasploit)
https://www.exploit-db.com/exploits/47230

Webmin <= 1.920 – Unauthenticated RCE
https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html

CVE-2019-15107
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15107

CVE-2019-15107
https://nvd.nist.gov/vuln/detail/CVE-2019-15107

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 19, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.